If you’re one of the millions of people using Google Chrome as your preferred browser, and if you happen to have any important passwords saved within the browser itself, you might just want to reconsider how wise that is.
Your data is, of course, at risk any time your computer is stolen, lost or borrowed by another person, but there are various measures we can put in place to protect against this. But whatever security precautions you take, this could all be undone in seconds if you happen to use Google’s browser, as software designer Elliott Kember revealed in a blog post called “Chrome’s Insane Password Security Strategy,” which later sparked an intense discussion on the Hacker News forum.
As Kember explains in his post, if you happen to be using Google Chrome to save and sync your passwords to login to your favourite websites more easily, you could be in a whole lot of trouble. The browser apparently has an inherent security weakness, one that allows intruders to gain full, unrestricted access to all of your passowrds in a matter of seconds, simply by visiting this page in Chrome’s settings: chrome://settings/passwords.
Open that link and you’ll stumble across the cache where all the passwords saved in Chrome are kept, which is synced with all the other devices you use. Okay, I hear you say, what’s so bad about that? Well, that cache can be opened to reveal a plaintext version of your passwords with just one click, allowing anyone using your computer to note down the passwords for your email, Facebook, Twitter, or any other service you access using Chrome.
Your password list, which cannot be locked down, includes the website address, username, and password for every site you’ve saved using Chrome. The passwords are hidden of course, but can easily be unmasked with a single click of the “Show” button.
So if anyone knows about this weakness, and gains access to your computer – perhaps someone used the desktop on your desk at work, or maybe a ‘friend’ just asks to borrow your laptop for two seconds to search something – all it would take is a few seconds for them to quickly glance at your passwords and compromise all of your accounts.