V3.co.uk

Google and security community come to blows on Chrome password strategy

Chrome boss says researcher's findings are misguided

google-chrome-logo
  •  
  •  
  • Save this article  
0 Comments

Google engineers have lashed out at a software developer who published research attacking the way the Chrome browser stores passwords.

Software developer Elliott Kember criticised Chrome's password storage protocols in a blog post, claiming he noticed a number of misleading messages when attempting to import bookmarks from Safari to Chrome.

A pop-up window appeared, with an option to import saved passwords ticked and greyed out, so it could not be changed. "Why is ‘Saved passwords' greyed out, and mandatory? Why have a check-box? This is the illusion of choice," Kember wrote.

Kember said after exploring the strange pop-up, he found evidence that Google Chrome is storing passwords in plain text without alerting its end users, theoretically leaving them open to attack from hackers. "There's no master password, no security, not even a prompt that ‘these passwords are visible'. Visit chrome://settings/passwords in Chrome if you don't believe me," he wrote.

"Google isn't clear about its password security. In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market – the users. They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay."

Google security tech lead for Chrome Justin Schuh, posted a reply to Kember's blog saying his research was misguided. "I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position. And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome," he wrote.

He added that Google's strategy is based on meticulous research and is designed to keep end users as safe as possible. "The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theatre."

"Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants."

Google declined V3's request for comment on whether Schuh's statements are the company's official response. However, Malwarebytes Armando Orozco has lent credence to Schuh's claims, confirming that Google is not the only company to follow the strategy.

"He [Kember] has a good point, sometimes all bets are off when a bad guy gets access to your PC – although you can make the job difficult by not having passwords easily accessible. If you want to clear out any stored passwords in Chrome you can remove in its advanced settings under 'Passwords and Forms'. Access by going to Chrome's menu -> Settings," he wrote in a blog post.

"Firefox also has this feature and is accessible through the Firefox menu then Options -> Options -> Security -> Saved Passwords. Firefox does prompt when accessing 'Save Passwords' but reveals them just the same. So this is not strictly a Chrome thing. If you do like to use password store features don't use on a ‘community' PC or leave your PC unlocked when away."

Passwords have become an increasingly valuable commodity for cyber criminals, who regularly use them to mount sophisticated phishing scams, or sell them on underground black markets. Most recently password stealing attacks have been reported targeting the Google and Apple developer forums.

  •  
  •  
  • Save this article  

V3 Latest

blog comments powered by Disqus