MarkC on UC Microsoft Skype for Business, Lync, Exchange & Everything Else

Google Chrome showing your saved passwords

In Google Chrome you can easily view your saved passwords.....

====
UPDATE 8 August 2013: Just for some clarification, this problem is also apparent in Firefox for OSX too - it doesn’t require you to authenticate either.
====

There’s been some discussion around the ability to easily display saved passwords in Google Chrome. In fact I see it’s hit
The Guardian today too. To show you what I mean, pop in to Preferences in Chrome, and select ‘Show Advanced Settings’. In there, you should see the option to ‘Manage Saved Passwords’:

Screen Shot 2013-08-07 at 21.58.25

If you click on the ‘Manage Saved Passwords’ you’ll get a screen showing your saved passwords (Who knew?) - by selecting one of the saved passwords, you can simply hit ‘Show’ and your saved password will be displayed:

FilteredPasswords


Interesting hey? Conversely in Safari, going into Preferences, selecting ‘Passwords’ and ‘Show Passwords’ results in the user having to re-authenticate before they can view them.

SafariExample

That’s obviously more secure.

To exploit this issue though you have to have physical access to a machine, and a user’s session - it’s arguable if you have physical access to a machine it’s already compromised in some respects isn’t it? What about if you wander away from your desk for example - if your passwords were in Safari they’d still be secure. A user accessing your machine could however still login to a site using your saved password, they just couldn’t view what it was.

What’s also interesting is that Chrome seems to be able to access Apple’s KeyChain service to display passwords
without authenticating? If that’s the case then not only can Chrome do it, anyone who can get some code on to your machine can do it too? Opening there for Malware isn’t there? See here for how Google Chrome uses your Keychain.

What’s even more interesting is that the head of Google's Chrome developer team, Justin Schuh, said he was aware of the weakness and that there were no plans to change the system. So it’s always going to be that way?

If you want, you can read
Schuh’s reasoning here. He does make some fairly reasoned points in my opinion:

====
I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.


Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.
====

It still however makes me uncomfortable that it’s so easy to access passwords without any form of authenticating the person asking for the passwords. I would be interested in hearing your opinion on this of course.

Small video running through the exposure below:




blog comments powered by Disqus