

Google Chrome security flaw offers unrestricted password access - kgarten
http://www.theguardian.com/technology/2013/aug/07/google-chrome-password-security-flaw 

======
sirsar
>passwords [...] are stored in reversible form

Please show me a password manager which does NOT store passwords in a
reversible form. Hint: it's not possible.

~~~
avty
It is possible with SSO.

~~~
dragonwriter
No, SSO is different solution to some of the same problems solved by a
password manager, it is not a means of having a password manager that stores
passwords in an irreversible form.

------
mxfh
My wife showed me this, to my surprise, some months ago already. The behavior
seemed a bit unexpected at first, yet I came to a conclusion similar to the
one discussed here:
[https://news.ycombinator.com/item?id=6166731](https://news.ycombinator.com/item?id=6166731)

So, unless you're not in fully-trusted access-controlled physical environment
(a.k.a. home, arguably preferably with no adolescent kids around) always lock
your OS when leaving it running unattended.

------
tlongren
This is a horrible article, nothing but fear mongering.

There's no bug, this is just how it was designed.

Elliott Kember, the supposed discoverer, is way behind and is stupid, mostly
for taking credit for this "discovery". I was using this feature to find
forgotten passwords months and months ago.

------
knodi123
"the new zealand developer who discovered this flaw"??? It's just a settings
page. I've been using this "flaw" to retrieve saved passwords that I forgot
for ages.

Before this feature, I used to have to use auto-fill and then sniff the id of
the password field and type
javascript:alert(document.getElementById('password').value) in the address
bar.

If you have a highly secure password, don't allow your browser to save it.
Once your browser has saved it, I don't mind if it's easily accessible instead
of complicatedly accessible...

------
ColinWright
See also:

[https://news.ycombinator.com/item?id=6165708](https://news.ycombinator.com/item?id=6165708)
(much discussion)

[https://news.ycombinator.com/item?id=6167331](https://news.ycombinator.com/item?id=6167331)

[https://news.ycombinator.com/item?id=6171813](https://news.ycombinator.com/item?id=6171813)
(moderate discussion)

[https://news.ycombinator.com/item?id=6171979](https://news.ycombinator.com/item?id=6171979)

------
antimatter15
Long before Chrome even existed, anyone with a flash drive could have used any
of these apps
([http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html))
to trivially recover plaintext passwords. Plugging in a flash drive (or merely
downloading it off the internet) and running a small program (which even saves
the hassle of having to show manually hit show on each of the passwords or
navigating the menus of the settings page) can reveal not only Chrome
passwords, but IE, Firefox, Opera, Wireless Keys, VNC, Windows Live Messenger,
Yahoo Messenger, ICQ, AIM, Windows Live Mail, Outlook, IncrediMail, Eudora,
Netscape Mail, and Thunderbird.

------
jdp23
Nice to see the HN discussion quoted in the article.

Presumably, based on Justin's comments in the other thread, Google's happy to
see this article. After all, it will help keep users from having a false sense
of security when using Chrome :)

~~~
ZeroGravitas
Sadly it seems to be promoting a false sense of security for all other
browsers. Both by getting facts wrong, and by the general tone.

Luckily for everyone, no-one pays any attention to this stuff, sochrome are
free to continue trying to improve security.

------
scragg
I thought this was common knowledge? The article makes it seems as a just
discovered thing.

------
mtkd
In one of the previous threads on this there was some lack of sympathy for
people who get compromised because of this 'feature not flaw'.

Do bear in mind that your private information is often secured by other
parties.

For instance if a colleague or partner is compromised every private email
you've ever sent to them is now visible to someone else to read or forward.

------
eli
This exact same article was posted a few hours ago:
[https://news.ycombinator.com/item?id=6171813](https://news.ycombinator.com/item?id=6171813)

------
lbcadden3
This is a very very old feature of Chrome. It has been there since I started
using Chrome a few years ago.

Must be a slow news day.

------
mwww
Another reason why it is so important to secure your online accounts with two-
factor authentication wherever possible.

------
psychous
People weren't aware of this already? I thought it was just a (bad) feature.

~~~
darkarmani
I thought chrome always used the OS X keychain for passwords, but that doesn't
look correct anymore.

------
robomartin
> Elliott Kember, a UK-based software developer from New Zealand who
> discovered the flaw

Oh, please! This has been discussed in various official Chrome support lists
for years. I have brought it up here on HN multiple times. Here's one from a
year and a half ago:

[https://news.ycombinator.com/item?id=3654830](https://news.ycombinator.com/item?id=3654830)

I was not, by any measure, the first to highlight this. The issue has been
hotly debated on the chromium forum since at least 2008. Yes, FIVE years ago.

[https://code.google.com/p/chromium/issues/detail?id=1397](https://code.google.com/p/chromium/issues/detail?id=1397)

The Guardian reveals utter ignorance by declaring that this fellow "discovered
the flaw".

I felt compelled to post a comment on the Guardian. Here is is:

[http://discussion.guardian.co.uk/comment-
permalink/25827439](http://discussion.guardian.co.uk/comment-
permalink/25827439)

Before anyone goes for my throat, look, I realize that browsers need to have
access to the unencrypted data in order to fill out forms. I get that.
However, Google/Chrome ought to give me the choice to have to enter a master
password every time that data is requested. In other words, the browser should
not, independent of my input, have access to my encrypted data.

With this comes the possibility of perhaps allowing some passwords to be
unencrypted. I make a distinction between a password for non critical sites
(i.e.: posting comments on The Guardian) and financially or personally
critical services such as bank accounts, various developer accounts, payroll
services, etc. I could and should be able to tell the browser which non-
critical logins could be stored without encryption and, therefore, available
to the browser without my authorization. Everything else should be secure.

If they enabled a master password they'd probably deal with 75% to 99% of the
cases where an average user's machine could be accessed by what I am going to
call a hypothetical evil ten year old kid. If you loose your laptop or leave
it behind at the coffee shop this can also be a good layer of protection for
anyone but those intent on stealing your private information.

Locking your workstation isn't a solution. You can break into a Windows
machine in a few minutes by using software that removes user passwords. Very
easy. I have a disk with such software (legally purchased, not some obscure
warez-site crap) for use when an employee leaves and forgets to unlock their
workstation (or leaves it locked intentionally). Telling people that they
ought to log out and have passwords on their user accounts is pointless.
Getting past user logins is stupid-easy.

I am mostly talking about what I've come to refer to as the "Uncle Fester"
user. A bit of humor there but not a pejorative at all. This includes my
mother, uncle, local school teacher, cop, soccer coach. Anyone who is not tech
savvy and has no clue whatsoever about what is going on and what the potential
risks might be. They only know enough about computers to push the mouse around
and use it and maybe a little bit above that. This, again, is not a
pejorative. We can't expect or demand that the average computer user be a CS
grad with a minor in security. That's just not reality.

On the assumption that my proposed user profile is on point, we, then, are
responsible for guiding them towards safe usage. This means both informing as
well as providing them with tools to help protect them. Taking a Silicon
Valley CS-expert academic view of the world is not helpful to anyone. A simple
master password would remove a huge layer of risk for most users. It's that
simple.

And, of course, the browser is exactly where the user ought to be educated
about the choices he or she has to make. You should not be able to store
passwords casually without having to read a few single-sentence pages
explaining the consequences of what you are about to do. I say a few single-
sentence pages because if you fill a page with text people will treat it just
like a TOS page and click through without reading any of it.

Here's one potential sequence. Each sentence is displayed in large print
against a white background. The button used to advance from one screen to the
next would have an activation delay of several seconds in order to prevent the
user from rapidly clicking through these pages.

    
    
      "Saving passwords in the browser can be risky"   
        buttons: "Tell me more", "Cancel"
      
      "Anyone who gains access to your computer will 
       be able to see your logins and passwords."
         buttons: "Tell me more", "Cancel"
    
      "You can reduce the risk by setting a master password"
         buttons: "Tell me more", "Cancel"
    
      "If you use a master password you will need to enter it 
       every time the browser needs this data to fill out online forms."
         buttons: "Tell me more", "Cancel"
    
      "A master password is not entirely safe and will not stop
       a tech-savvy person from gaining access to your information"
         buttons: "Tell me more", "Cancel"
    
      "You can also encrypt your login and password data"
         buttons: "Tell me more", "Cancel"
    
      "Encryption will stop the vast majority of potential data thiefs"
         buttons: "Tell me more", "Cancel"
    
      "Encrypted data can be accessed by tech-savvy thieves using 
       specialized tools.  However this takes significant amount 
       of effort and time."
         buttons: "Tell me more", "Cancel"
    
      "You should understand that no method can provide an absolute 
       guarantee of preventing access to your private information.  
       Encrypting your data will limit access to anyone but the most 
       determined experts."
         buttons: "Tell me more", "Cancel"
    
      "If you encrypt your data you will need to enter a password 
       every time the browser needs this data to fill out online forms."
         buttons: "Tell me more", "Cancel"
    
      "How would you like to store your login and passwords?"
         buttons: "Please encrypt my data" 
                  "I only want a master password"
                  "I don't want any protection"
                  "I would like to learn more before making a decision"
                  "I don't want to store my passwords in the browser"
    
    

I'm sure this could be fine tuned and made interesting, slick and inviting for
the user to read. I can even be done in animated or video form. The point is
that, in contrast with what the Uncle Fester users is given today this
approach would go a long way towards both educating and promoting safe
practices.

