Chrome loses its shine
A software developer has recently drawn attention to a security flaw in the Google Chrome browser. Apparently it’s possible for anyone with access to a user’s computer to see all the passwords stored for email, social media and other sites, directly from the settings panel.
By selecting ‘Show advanced settings…’, then the ‘Passwords and forms’ section, then ‘Managed saved passwords’, it’s possible to see a list of obscured passwords, which can be revealed by clicking next to them. As the developer said, “The overwhelming majority [of people]…don’t know it works like this. They don’t expect it to be this easy to see their passwords.”
In response, the head of Google Chrome’s developer team said that while they were aware of the weakness there no plans to change the system. Although others had recommended the use of a ‘master password’, as seen on other browsers, which controls access to passwords, the team at Chrome considered this insufficient protection, as the passwords were still recoverable to a determined ‘bad guy’. For that reason they preferred not to adopt this, saying that it would only encourage risky behavior, and give users a false sense of security.
This prompted www inventor Tim Berners-Lee to describe this response as ‘disappointing’, drawing attention to the flaw as a way ‘to get all your big sister’s passwords’. Indeed, many comments focused not on the need to protect your passwords from the serious hacker, but from casual access, such as from nosey boy/girlfriends, kids, acquaintances, work colleagues and the like. As one programmer put it, by that token we wouldn’t have door locks because anyone who really wants to get in can break the door down, or smash a window.
A more serious concern was voiced by a security manager at a publishing company, who said, “The fact you can view the passwords means they are stored in reversible form which means that the dark coders out there will be writing a Trojan to steal that password store as we speak”.
A columnist in a UK paper recently tried to see how many Chrome-saved passwords he was able to get hold of, and scored 52 in less than a minute, and by his own admittance, he only was an amateur hacker. His suggestion? If you are going to save your passwords you should only save them to “the grey mass between our ears”. Sensible, but as he said, sometimes he can barely remember his own PIN-code.
It all backs up what we have been hammering on about a long time now. The day of the password is past. For risk-free authentication, it’s the TeleSign Verify-way or the highway.