/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsA latest security flaw in Google's Chrome has taken the digital world by storm. This relates to passwords saved for sites within the browser. While saving passwords is absolutely normal and what's abnormal in Google Chrome is that when a user had saved their password -say for a popular social media site or email or whatever, it gets stored in Google's saved passwords list. And whoever peeks into the Chrome's advanced settings can easily see the saved passwords - the worst part is the snooper can see the password in text and not just in ‘asterisk' as it appears on log in screens.
This major flaw in Chrome browser was revealed yesterday by New Zealand based Elliot Kember, a software developer and director at Riot. Kember wrote on his recent blog post: "Google isn't clear about its password security. In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority. They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."
You can read Kember's full revealing blog post here on this security flaw, he termed it "Chrome's insane password security strategy".
Why Google should fix this?
Okay, let's get this straight. On any day users logs into many different sites and reports suggest that on every instance keying in the log in and password details is indeed a cumbersome exercise and many opt out for the easier way of saving the log in details like password and user ID for quick log in.
So in this backdrop, in a system compromise scenario-like someone borrows it or you even if you log out of all sites, the borrower can still see the passwords. And in these likelihood scenarios anyone can just go the browser setting or even capture a screen shot or snip the whole password saved page and legally log into your email or social networks. That's scary - right!
Scarier is the fact when Kember brought this to Google's attention, the reply he got from Justin Schuh, head of Chrome security was that that they are privy to this loophole and nothing can be changed at this point in time. Indeed very sketchy kind of response.
Clearly the devil is in the details and this unrestricted ‘pass word' show off has put in a sense of fear and the kind of debates on twitter and other social media on this is ample proof.
So how do other browsers like IE, Firefox and Safari do this? They did face the similar problems in the past, but now most ask for a ‘master pass word' to reveal the site specific stored passwords. This makes for a whole lot of sense.
For instance if you look at IE the log in details are encrypted and resides in Windows registry, so one cannot see text versions of passwords. But still by using third party password revealers one can gain access but yet again most informed users will be aware of using third party software and most likely any such intrusion will be blocked by an active firewall in the system.
Coming to Chrome, Time burners Lee, director at World Wide Web Consortium (W3C) and British inventor of Web termed Google's reaction to Kember's revelation as ‘very disappointing'. In his latest Twitter post he sarcastically likened the Chrome security flaw and tweeted ‘how to get all your big sister's passwords'
As the debate continues, Google's casual response had further angered the bloggers. With this flaw exposed, what users can do at the moment is to delete the ‘stored saved passwords' list by going to Chrome's advanced setting and also disable ‘ask to store password' option as well.
On the long term fallout, Google might lose out on its users if it does not come out with solution fixing it.
Are you a Chrome user? Do you save passwords? Let's here from you on what do you think on this security flaw and what you intend doing going forward.