Aren’t modern browsers great? They have loads of great features, like remembering your passwords and auto-filling them in for you whenever needed. But what if those stored passwords were easily discoverable by anyone with access to your computer?
That’s the situation with Google Chrome. Going through the Settings UI to password management allows you to view all plain text passwords with just a single click. No hacking needed! Of course, in order to do this, the intruder would need physical access to your logged in machine, but that’s not exactly uncommon in communal environments such as your home or work.
Needless to say, the Twitterati are up in arms, with everyone asking Google why there isn’t an extra layer of security to stop this trivial exploit. This has been responded to by Justin Schuh, Chrome’s Head of Security in a post on Y Combinator. Schuh basically says that this would create a false sense of security as once someone has access to your logged in system the game is already lost. While this would be the case if your system was accessed by Kevin Mitnick, I’m pretty confident that even rudimentary measures would be enough to put off the people most likely to actually have access to your logged in hardware (friends, family and colleagues).
From that perspective, it’s a bit of a disappointing response. In the meantime, we’d advise all your Chrome users to keep your unattended computers locked and use Google’s (awesome) two factor authentication to stay secure. Or you could just switch to another browser.