Google Chrome Password Security Vulnerability - Hacking

Chrome Stealing Passwords Made Easy

Google Chrome Password Security Vulnerability

Is your computer safe from intrusion and malicious attacks? I doubt it. Most of the internet users have been mentally abused by decades of crappy security anti-virus products (snake-oil) and have come to accept them as a guaranteed form of security.

The majority of anti-virus products have been unsuccessful in stopping hackers dumping session cookies, grabbing your history, installing malicious extensions that intercept browser activities, let alone installing OS user account level monitoring software. Security programmers have a hard time keeping up with hackers.

But Google Chrome has now made it easy for school kids, girl friends, work associates, family or friends to crack all passwords saved in Chrome in 5 seconds. Hackers on the other hand take a lot longer, some less successful than others.

Most non-technical users (which would be the vast majority of the population) don't know you can access Chrome's saved passwords in chrome/settings/passwords.

Google Chrome is essentially allowing slightly technical users like school kids to easily view passwords, and neglecting to clearly warn the non-tech users of this vulnerability stating it will give the user a false sense of security. I was always under the impression avoiding a false sense of security entails informing the user about the "view password" function, rather than avoiding it.

Stealing Chrome saved passwords is as simple and less time consuming than going for a piss.

Stealing Chrome saved passwords

You click on the customize link at the top right of Chrome then click on settings, under advanced setting you click "Manage saved passwords".

Chrome passwords manager pop-up

A pop-up will appear with ALL saved paswords. Click the account then click "show". And that's it.

Chrome passwords pop-up

So what's the big deal if Chrome displays passwords?

The big deal is your passwords can now be accessed by anyone that uses your computer, regardless whether you login to your gmail account or not. Chrome neglects to inform the user about the password vulnerability. If the users know their passwords are stored in such an easily accessible way they wouldn't use the "Do you want to save your password" feature. Or for that matter use Google Chrome. Googles attitude is "your passwords are at anyway at risk from hackers".

But what Google neglect to recognise is, they are the easy gateway to hacking.

Enable Autofill Displays Credit Card Passwords

And what's even worst is "Enable Autofill to fill out web forms in a single click". Chrome automatically stores your credentials if you have checked the box.

Just the other day I subscribed to an affiliate program to find all my data visible in Autofill. It seems by default when downloading Chrome "Autofill to fill out web forms in a single click" is enabled. I nearly crapped myself when I viewed the information stored in Autofill due to others using my laptop.

If you click on settings then "Manage Autofill settings" you can view credit card and other personal credentials.

Enable Autofill Displays Credit Card Passwords

This is what Google has to say:

If you don't want to see saved personal information every time you fill out a form, you can turn it off.

Windows Autofill Display Credit Card Security Warning


Windows security themselves has the following to say about using Chrome Autofill:

Although the autofill feature is comfortable to use (for systems used by a single person) it should be avoided since it is proven to be a risk. A victim could offer to any https webpage sensitive data such as credit card number and expiration date, without the victim noticing

Chrome stores credit card data like card-holder name, card number as well as expiration date. Attacker now pray on Chrome by taking advantage of this saved information by creating https websites that operate from SSL connections with simple forms that the users fill in. The attacker then uses autofill to get stored sensitive data, even been able to bypass Chrome's so called security obstacles.

http://blog.elevenpaths.com/2013/10/how-to-take-advantage-of-chrome.html

It surprises me that Google above all others don't realise that storing data in a browser is not a good idea, specifically passwords that can be viewed in clear text. And even worst of all, they don't inform the public of the security risks.

Conclusion/Summery

Google go further to say its your responsibility to password protect your computer and not to allow others to use it. Damn, could you just imagine telling your child and his friends they cant play computer games, or telling your girlfriend, co-worker and family members they cant use your computer to check their email, etc.

And if my clients restricted me from using their computers, I wouldn't have many clients.