Risk
8/8/2013
01:45 PM
50%
50%

Chrome Security Shocker Creates Password Anxiety

Google responds to criticism of stored password handling; security experts say Chrome security team is missing the forest for the trees.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Should people be able to instantly retrieve -- in plaintext -- all the saved passwords stored by the browser they're using?

That's the information security question of the week after Elliott Kember, a director at software development firm Riot, called out Chrome's insane password security strategy. "Google isn't clear about its password security," he said in a blog post, in which he accused Chrome of not behaving as ordinary users would expect. Specifically, after Chrome gets its hands on a password, the browser will reveal it with a single click.

Kember acknowledged that technically astute types often recommend that people avoid storing their passwords in the browser, and use a third-party password manager instead. Another common argument, he said, is that "the computer is already insecure as soon as you have physical access."

But would the average user -- who may share their computer with family or friends -- expect that anyone with access to their PC might so easily retrieve all stored passwords in a single go? "Go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click 'show' on a few of the rows. See what they have to say," said Kember. "I bet you it won't be 'That's how password management works.'"

[ Department of Homeland Security urges all website operators to check for vulnerability. Read HTTPS Hackable In 30 Seconds: DHS Alert. ]

Google's Chrome team, however, sees things differently. "I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position," posted Justin Schuh, head of Chrome security, to the Hacker News site. "And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them [with] a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome."

Schuh added that passwords stored by any application on a system are "trivially recoverable" by anyone with access to that system, and said adding a master password to the application was "security theater."

Many security experts, however, said that Schuh missed the forest for the trees.

"How to get all your big sister's passwords ... and a disappointing reply from Chrome team," tweeted World Wide Web inventor Tim Berners-Lee.

How do other browsers handle passwords? Apple's Safari includes a "show password" setting, but to be enabled, OS X first requires the user to enter their master keychain password. In fact, Kember's post was sparked by his finding that when importing bookmarks on his Mac from Safari to Chrome, all of the passwords stored by Safari had to be automatically loaded into Chrome, at which point anyone with access to his Mac could reveal them with a single click -- no password required.

Like Chrome, both Firefox and Opera will show passwords, although they do allow users to restrict access to that feature by adding a master password. Still, per Schuh's comment, anyone with the requisite skills can still retrieve the stored passwords. The same applies for passwords stored by Internet Explorer, which can be retrieved via Registry tweaks or by using free third-party tools.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

CVE-2014-9197
Published: 2015-01-27
The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.

CVE-2014-9198
Published: 2015-01-27
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

CVE-2014-9646
Published: 2015-01-27
Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.