Type in a very few words into Google Chrome browser – the market share leader in most surveys – and a full list of websites and their associated passwords displays on the screen.
Reported by UK software developer Elliot Kember, the phrase that unlocks the password display is: chrome://settings/passwords. Type that into the browser address bar and it reveals a list of saved passwords. Highlight a site and what’s shown is the password in plain text.
Wrote Kember in his blog, “They [everyday users] don’t expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not OK.”
In a test by a reporter, Chrome indeed displayed a lengthy line up of some two dozen saved passwords for sites ranging from Hootsuite to Twitter. Also included was the master login to a number of Google accounts including GMail,
Not included in the list were any financially related sites. No credit union, no bank, no PayPal, no credit card issuers.
UK newspaper The Guardian reported that the head of Google’s Chrome team indicated there are no plans to change this system.
Many users are said to save their passwords by sending emails to themselves, so that their email box becomes a de facto password cache. Access the email and those passwords, theoretically, could be found.
To exploit Kember’s vulnerability, a criminal would need to find an unattended computer, with Chrome installed. What would then be revealed are the passwords which the user elected to save in Chrome.