How to Steal Passwords Saved in Google Chrome in 5 Simple Steps

You see a lot of fear mongering over security risks in Google’s Android mobile OS. You really don’t hear too much about the company’s Chrome browser and security. But that could change just as quickly as you can search Google for “How to protect passwords stored in Google Chrome.”

Unfortunately, if you did perform this search query, you wouldn’t find a very good answer. Chrome not only stores all of its users’ saved passwords in plain text, it lets anyone with access to Chrome easily see all of the passwords of whoever is signed into their Google account via Chrome. (Other popular browsers store passwords the user elects to save, but you can’t access them without some type of login information.)

Email passwords, Twitter, Facebook, loyalty accounts, passwords for your wireless provider’s payment site, blog platforms, corporate systems, the whole shebang. Any password you tell Chrome to store can be quickly and easily accessed—and stolen.

It only takes five simple steps to access all of a Chrome user’s passwords. First you just click Settings in browser drop-down menu (it looks like three horizontal lines in the top-right corner of the window); then Show advanced settings at the bottom of the Settings window; hit Manage saved passwords under the Passwords and Forms box; and then click in the field next any of the saved passwords, represented by asterisks; and hit Show. That’s it.

Google also apparently knows all about this feature/flaw/f*&% up, and it’s not planning to do anything about it. Google Chrome security team member Justin Schuh said as much in a recent thread on Ycombinator.com.

Schuh reasons that if a Bad Guy has access to your Chrome browser, while you’re still signed in, he’s already won. And you’ve potentially lost more than all of your passwords. In a way he’s right. But it really shouldn’t be so simple to access all of a person’s passwords stored in Chrome. Some sort of restriction on the passwords should be available, or maybe even enabled by default. Because the average person has no idea how easy it is to currently access saved Chrome passwords. I didn’t, and I’m a technology journalist—though I’ve never claimed to be a good, or secure, one.

I leave my computer unlocked at work when I run to get a cup of coffee or use the little boys’ room all the time. Part of me knows that I’m opening myself up to risk, and if I leave for an extended period of time, I always lock my PC. But it would be incredibly simple for the IT guy, who I constantly bother with inane tech request, to run over to my PC, steal my Twitter password, and then tweet something like “If I only used the tools my IT team gave me as they were designed to be used, I’d actually get some work done. But that wouldn’t be any fun.”

Or imagine that you’re a college student in a shared dorm room, and your roommate’s friend is still pissed off about you grabbing the attention of the girl he was courting at the party last Friday. If he’s tech savvy, you could be in trouble next time you go grab lunch. You get the point.

Chrome is one of the most popular browsers today; it’s not just for tech nerds anymore. Google needs to keep this in mind and help protect the people who take it for granted that their sensitive information, including passwords, is at least partially protected by default.

AS

via TheGuardian.com