A very serious flaw has been pointed out in Google Chrome browser that allows any user who has access to a particular computer to see every password stored for social media, email and for any other website. It is through the settings panel in the browser that all the password can be viewed without any encryption.
Besides the password related to personal accounts, sensitive login details of companies would also be compromised in case the user who worked on Chrome leaves the computer unattended and with an active screen.
Viewing of the passwords can be easily done by clicking the icon of settings and then choosing the tab ‘’show advanced settings’’ and then moving on to the tab ‘’Manage and save passwords’’ in the section that says ‘’Password and Forms’’. An obscured lists of passwords will then be visible for different sites and clicking besides such password will show plain text to these passwords. The text which is so revealed can be transferred to any outside source via copying it or by taking a screenshot.
Justin Schuh who is the head of the Chrome Developer team said that they have been aware of the flaw and he also said that there was no plan to bring any changes to the system.
Sir Tim Berners-Lee who is tagged as inventor of the web has termed the response to be very disappointing and he has also said that this flaw is a way to catch on all the sensitive logins and passwords of your big sisters.
Chrome is among the three most used browsers in the world and has millions using it along with Internet Explorer from Microsoft and the Firefox browser. Chrome is seen as a crucial asset to the company in their future efforts of monetizing the use of web via typing the users to their Google accounts and then by developing synchronization between their mobile systems and their desktops.
Elliot Kember who is from New Zealand and is based in UK is the software developer that has pointed out this flaw in Chrome Browser. He said that the people using this browser are the general public and they are not developers. He also said that Google has been so massive in advertising its browser on YouTube, on billboards and in cinema pre rolls and there is no way that people would want their passwords to be accessible so easily. To sum up, He said that the flaw is not okay at all.
Some of the other browsers that had the same issue have closed them. The same flaw was revealed with Firefox back in 2010 as they were using the same plain text for the stored passwords but they added the option of master password to remove the flaw. So no password will be revealed unless the master password will be entered provided if the user has formulated a master password for the purpose. Some of the older versions of Internet Explorer were facing the same flaw previously. Safari which is the browser from Apple also requires the same master password before making any saved passwords visible.
Schuh mentioned at hacker news that many have asked us the question that why we aren’t going for a master password or anything similar to it even if we do not believe that it is going to work. We have carried out a lot of debates on the issue with the same result that we do not want to render our users with some false security options. We have made it very clear over and over again that when you provide access of your OS to any user, he/she can latch onto everything.
However many developers are of a different view point and one of them said that the effectiveness of some safe can only be judged by the time needed to be invested for breaking it. No safe is unbreakable as it is the optimal effort, time span and the noise that is needed to break it open. Installing some software, dumping the cookies will require time but in the case of no such security, any person without having any technical knowledge can latch on to all the passwords within a few clicks.
One of the security managers at some publishing company has said that the viewing of passwords in this manner tells that they are in reversible form when stored and this also means that dark coders can easily launch some Trojan to steal the passwords.