A security flaw has been uncovered in Google's Chrome web browser that can give anyone unfettered access to users' stored logins, and there are reportedly no plans to fix it.
The bug was discovered by software developer Elliott Kember, who found that in the password section of the browser's settings panel, saved passwords can be revealed in plain text simply by clicking a button labelled show'.
Every day, millions of normal, everyday users are saving their passwords in Chrome.
"There's no master password, no security, not even a prompt that these passwords are visible'," said Kember in a blog highlighting the problem.
Kember said while some developers are aware of this flaw, everyday users are not.
"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority. They don't know it works like this.
"They don't expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay," he said.
However, Justin Schuch, Chrome browser security tech lead at Google, said this is not a fault and the company is not going to change it.
"The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theatre," he wrote on Hacker News.
"We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get," he concluded.
While many commenters agreed a master password or other additional security layer would not stop a determined and knowledgeable hacker, they argued it would help prevent crimes of opportunity.
In a Tweet, Tim Berners-Lee, inventor of the World Wide Web, described the flaw as "how to get all [your] big sister's passwords" and said the reply from Schuh was "disappointing".
Another set of security bugs have also been found in the past 48 hours, this time affecting a number of Mozilla products.
The foundation has released updates for Firefox 23.0, Firefox ESRT 17.0.8, Thunderbird 17.0.8 Thunderbird ESR 17.0.8 and Seamonkey 2.20 to address multiple vulnerabilities that could, according to an advisory notice from the United States Computer Emergency Readiness Team (US-CERT), allow hackers to remotely cause a denial of service condition, conduct a cross-site scripting attack, execute arbitrary code, or bypass restrictions.
Administrators and users of these services are advised to apply the updates in order to avoid falling victim to an attack.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and FirefoxNews Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
-
Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT adminsNews New integrations across various security pillars aim to improve Chrome OS and Chrome browser security for enterprise customers
-
Google patches second Chrome browser zero-day of 2022
News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
-
Acer Chromebook Spin 513 review: Cheap and mostly cheerfulReviews An affordable Chromebook convertible with good looks but mediocre performance
-
Google says Chrome is now faster than Safari on Apple SiliconNews According to Apple's own benchmarks, Chrome 99 scored the highest out of any browser ever tested
-
Google Chrome update fixes zero-day under active exploitation
News Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome
-
Asus Chromebook CX9 (CX9400CE) review: The most stylish Chromebook on the marketReviews A sleek, expensive Chromebook that tries to bring professional style to Google’s OS
-
Firefox 95 boosts protection against zero-day attacksNews Mozilla's browser now takes a more granular approach to walling off code
