

Secuity flaw in Google Chrome? - skid

I was at a friend's party a week ago and he was playing music on youtube. I mistakenly logged into his Google Chrome (this is a recent feature) with my google account and logged out immediately when I realized my mistake.<p>Some days later I logged in and connected my own Google Chrome with my google account. I got all the friend's bookmarks, which is ok. A day later, I opened the browser and tried to log into gmail (I didn't have the "remember me" option turned on) and I got my friends email AND password pre-filled in the gmail login form. I could read his password with document.getGetElementById('Passwd').value.<p>Has anyone also done this? Google is apparently syncing your passwords unencrypted.
======
capocani
Not a security flaw, you just synced his browser settings with your account.
The proper way to log into another person's Chrome is by adding a new user in
the "Personal Stuff" area first.

~~~
skid
I think the security flaw here is that google is keeping your password
unhashed somewhere on their servers.

~~~
capocani
chrome://settings/syncSetup

Passwords are encrypted by default, the other option is to encrypt all synced
data.

You should clear your friend's sync data from your dashboard BTW:
<https://www.google.com/dashboard/>

~~~
skid
I guess it's ok. But they should make it more obvious when you first log into
chrome.

