Elliott Kember [has a post up which details a security flaw in Google’s Chrome browser][1]. The flaw is that if you enter `chrome://settings/passwords` into Chrome you are taken to a screen which shows you the saved passwords in Chrome. Nothing crazy about that — you can do that for Mac OS X by opening Keychain Access. What’s crazy about Chrome, is that unlike Keychain Access you can click a button in Chrome to show your password in plain text, all without any additionally security (like asking for a password ala Keychain Access).
NO, *really* — you could literally password mine any Chrome user (assuming they use Chrome to manage the passwords) just by asking them if you could use their computer to check your email— you’d be done before they suspected a thing.
But that’s not the worst bit in my book.
Now Justin Schuh has reportedly (not sure if he is verified in any way there), the head of Chrome security, has [taken to Hacker News][2] to *defend* this approach *and* chastise Kember.
Schuh:
> It matters that you {Kember} don’t seem to understand the threat model here. You think your passwords are protected somehow in other applications, but they’re simply not. The fact is that they’re still trivially recoverable, and if the bad guy can read them at all than *[sic]* he already has access to fully compromise your entire OS user account.
That’s not the argument, Schuh, the argument is that Chrome is doing a shit job securing its passwords, not that all other apps are secure. But that deflates the argument…
And:
> So, you’re arguing that we take measures to make users think they’re safe when they’ve already surrendered any pretense of security. Effectively, you’re asking that we lull our users into a false sense of security.
Bullshit, Schuh, bull-*fucking*-shit. There’s a difference between passwords that are trivially recovered by a layperson and passwords that are trivially recovered by a developer. If you give a Mac developer 5 minutes on my Mac to recover as many passwords as possible the best route will be Chrome (again, if I used Chrome for password storage) — not looking through plists or application resources (among other things) to find passwords. In five minutes it is trivial for anyone aware of this “feature” of Chrome to password mine a huge amount of passwords.
While Schuh may be technically right about how insecure other password storage is, it is hardly an excuse for making password recovery *even easier* for jealous spouses, exes, roommates, etc. Just because Carpools don’t require TSA level screening, doesn’t mean that Airplanes would be fine without said screening.
I would highly recommend you delete all passwords in Chrome, buy 1Password, and switch to a browser that gives a shit about your security (i.e. not Chrome).
I’ve been using Chrome on my Mac for websites that require Flash, but I’m done — it’s deleted.
**UPDATE**: A few readers have emailed in to say that Firefox is just as bad… Which leaves you with Safari.
[1]: http://blog.elliottkember.com/chromes-insane-password-security-strategy
[2]: https://news.ycombinator.com/item?id=6166886