Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Chrome Flaw Lets Users View Passwords in Plain text - fixedByVonnie

Chrome Flaw Lets Users View Passwords in Plain text

Google Chrome Password Manager Vulnerability

Did you know that Google Chrome stores saved passwords in plain text on your local computer?

Open Chrome and type this in the address bar:


Chrome Reveal Saved Passwords

Google corrals all your passwords in one place but none are encrypted.  In fact, viewing the saved passwords is as easy as clicking the Show button next to the password dots.

This actually isn’t new news, but Elliott Kember, Software Developer and Director at Riot, brought it up on his blog yesterday.


Now your first response might be:

“Hey Vonnie, you’re overreacting.  If someone already has physical access to your system then your computer is ready to be compromised.”  Or perhaps you’re thinking, “What’s the big deal?  Just use free password management software like LastPass and be done with it”.

Although these points are valid, I think they miss the core issue here: Google isn’t as transparent as it should be when it comes to password management.

The Problem

Most people know nothing about password management. If you sat down at your co-worker’s computer, opened Chrome, went to his Password Settings and clicked Show, I doubt he’s going to say, “Oh well, I guess I’ll just use LastPass”.

My point is that people don’t expect it to be this easy to view their passwords!  And given that most people use the same password to access multiple web resources, comprising saved passwords could be worse than deleterious because suddenly almost all the victims digital assets are instantly at risk.

Chrome do you want to save your password?

Chrome isn’t transparent about Password Security

When Google Chrome prompts you to save your password it doesn’t tell you that it’s accessible to anyone who visits your password settings.

Justin Schuh, head of Security for Chrome offered this defense on Hackernews yesterday.

The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.

You can read the rest of his response on Hackernews but I think the central thrust of his argument is flawed because it puts too much responsibility on the OS.  It’s like saying there’s no need to lock the safe in your bedroom as long as the front door of your house is bolted shut.  In other words, what’s the point of locking the safe because once the thief is on the inside he has carte blanche access to all your valuables.

But, don’t you think having a combination lock on the safe might cause a less determined thief to look for something else? For something easier to steal first?

In my metaphor the front door is the password protected login screen of the OS and the Safe is Google Chrome.  Chrome is an open safe – and there’s nothing safe about that.


Any security methodology will always have holes but different vulnerabilities require different levels of technical aptitude to succeed.  If someone gains access to your physical machine they can wreak havoc on the system by stealing session cookies and installing malware on it but that requires specialized knowledge.  The problem is that today, with this Google flaw, almost any eight year old kid can sit at her big bothers computer, pop open Chrome and steal his Facebook passwords.

The point of security is not to make data theft impossible but rather to make it as hard as possible to break so less determined hackers search for easier prey.

Neither Justin nor Google seems to understand this basic point, and quite frankly it’s a bit irritating.

All I’m advocating is that Google implement another layer of security that makes it a little harder to view clear text passwords.  Maybe a simple sign-in requirement for the Passwords Setting page would suffice?  I’m just really annoyed that such a large company like Google doesn’t seem interested in protecting it’s customers interests like it should.

What do you guys think about all this?  Am I overreacting? Let me know in the comments below…


Connect with Vonnie on Twitter

Posted in Google Chrome, News, Security, Web Browsers Tagged with: