If you've enabled Google Chrome's 'Offer to save passwords I enter on the web' feature and have saved some or all of your passwords through it, you should remember to sign-out of your Google account in Chrome, especially if you use the browser on a shared computer.
Google's popular Web browser allows you to save your passwords and manage them through a menu in the browser's Settings page. When you click on 'Manage saved passwords' you get a list of your Saved passwords as well as a list of websites where you have instructed the browser to 'never save'. Interestingly, when you click on one of your saved passwords, Google gives you the option to see the password in plain text by clicking on the 'Show' button which is placed along with the listing. It doesn't ask for a confirmation or any additional verification by, say, prompting for your Google account's password.
It's worth pointing out that this 'vulnerability' - or feature as Google calls it (see below) - has been present in Chrome since its early days.
Once signed in to your Google account on Chrome, the browser pulls all your bookmarks, browsing history and passwords. This means that if you forget to sign out while using Chrome on a shared computer, anyone will be able to access your saved passwords easily. Or someone sitting next to you while you are using the computer can distracting you momentarily. Someone accessing your computer remotely can also see these passwords, if you're not constantly supervising. The intruder can change the password and block access to your service accounts, as well.
Software designer Elliott Kember pointed out the security flaw through a blog post. Interestingly, a Chrome developer told Kember on a discussion thread on Hacker News that the security flaw is in fact a feature of the browser. He said that the main password boundary for the user was the OS user account and there were vulnerabilities that could be exploited if that is breached
We'd recommend not to sign-in to Chrome while using a shared computer, but the best option would be to not save passwords through the browser's default passwords manager. Tools like 1Passwordand LastPass are better ways of storing passwords, and they need a master password before giving you access to your passwords, offering increased security.
Google's popular Web browser allows you to save your passwords and manage them through a menu in the browser's Settings page. When you click on 'Manage saved passwords' you get a list of your Saved passwords as well as a list of websites where you have instructed the browser to 'never save'. Interestingly, when you click on one of your saved passwords, Google gives you the option to see the password in plain text by clicking on the 'Show' button which is placed along with the listing. It doesn't ask for a confirmation or any additional verification by, say, prompting for your Google account's password.
It's worth pointing out that this 'vulnerability' - or feature as Google calls it (see below) - has been present in Chrome since its early days.Once signed in to your Google account on Chrome, the browser pulls all your bookmarks, browsing history and passwords. This means that if you forget to sign out while using Chrome on a shared computer, anyone will be able to access your saved passwords easily. Or someone sitting next to you while you are using the computer can distracting you momentarily. Someone accessing your computer remotely can also see these passwords, if you're not constantly supervising. The intruder can change the password and block access to your service accounts, as well.
Software designer Elliott Kember pointed out the security flaw through a blog post. Interestingly, a Chrome developer told Kember on a discussion thread on Hacker News that the security flaw is in fact a feature of the browser. He said that the main password boundary for the user was the OS user account and there were vulnerabilities that could be exploited if that is breached
We'd recommend not to sign-in to Chrome while using a shared computer, but the best option would be to not save passwords through the browser's default passwords manager. Tools like 1Passwordand LastPass are better ways of storing passwords, and they need a master password before giving you access to your passwords, offering increased security.
No comments:
Post a Comment