August 7th, 2013
Just when I thought shoddy tech "journalism" couldn't stoop any lower, there is now a supposedly "new" report out that Chrome stores its passwords in plain text.
From Google Chrome security flaw offers unrestricted password access at The Guardian:
A serious flaw in the security of Google's Chrome browser lets anyone with access to a user's computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.
Absolutely no mention that this has been known for years. Why this is being reported now, I have no idea.
From Google Chrome flaw exposes user passwords at The Telegraph:
Software developer Elliott Kember stumbled across the vulnerability when importing his bookmarks from Apple's Safari browser to Google Chrome. He discovered that it was mandatory to import saved passwords from one browser to the other – something he described as 'odd'.
After doing a bit more digging, he found that Google does not protect passwords from being viewed when a user is logged in and running Chrome. Anyone with access to the computer can view stored passwords by going to the advanced settings page and clicking on the “Passwords and forms” option, followed by “Manage saved passwords”.
Here the reporter goes a step further to make it sound as if this is some new discovery.
This is not a new discovery. Many people, including the developers at Google, know about this, and have known about this for years. It's a deliberate (albeit bad) design choice. I knew about it in 2009, and I've known about it ever since.
Someone back in December 2008 already reported it to Google:
Google, Why does your browser Chrome not have a master password for saved passwords? This is ridiculous
and Google's response:
We understand that many of you want a master password for your saved passwords in Google Chrome. You’ve laid out many scenarios in which this might be useful, but the most common is that if your computer were to fall into the wrong hands, that person would then have access to your saved passwords.
While we agree that this situation would be terrible, we believe that a master password would not sufficiently protect you from danger. Someone with physical access to your computer could install a keylogger to steal your passwords or go to the sites where your passwords are stored and get them from the automatically filled-in password fields. A master password required to show saved passwords would not prevent these outcomes.
Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption.
We know this is a long-standing issue, and we see where you're coming from. Please know that your security is our highest priority, and our decision not to implement the master password feature is base
Okay. It took Google almost a year to make that official response, but that's still almost three years ago!
I thought the "There are millions of Android malware apps (which no one is actually installing)" scare headlines were bad enough. Now known bugs that are deliberate design choices are suddenly newly-discovered security flaws. I can't palm forehead this enough...
If you want to store passwords with a master password, use Firefox. The master password encrypts your saved passwords. It's not a perfect solution, but it's better than what Chrome's doing... and has been doing for years.