
Google Chrome security flaw offers unrestricted password access - sstarr
http://www.theguardian.com/technology/2013/aug/07/google-chrome-password-security-flaw
======
tptacek
This is embarrassing. What The Guardian (and, earlier, HN) is describing
simply isn't a security flaw; rather, HN appears to have had a mild temper
tantrum over the lack of a cosmetic "security" feature that, had Chrome
implemented it, could have just as easily led to another temper tantrum over
how easy it is to bypass.

~~~
interpol_p
I am unsure why Chrome does not ask for the master password when the user
attempts to reveal the plaintext for a password. Safari does this and it
works.

This is a big deal because it makes reading passwords easy to do in seconds,
and easy to do inconspicuously.

If you were to modify the DOM to unmask passwords it would take longer, and
it's not something you can do while a co-worker or friend lends you their
laptop for a minute. This flaw presents additional opportunity to anyone who
wants to read another person's passwords.

It is _not_ merely "cosmetic." It actually presents a real problem for anyone
who does not logout of their account every time someone else uses their
computer. Sure, this is probably best practice — but it is also insulting,
inconvenient and an unrealistic expectation.

If I have unrestricted access to your machine, your passwords are compromised.
Fine. But this is not a common or realistic scenario. It is far more likely I
am using your machine with you, and then you walk out for 20 seconds to get a
glass of water.

~~~
tptacek
It does not work. It is a cosmetic security feature. If you don't log out, the
next unauthorized user owns your account. You obviously know that. You're
talking about a security feature based entirely off the incompetence of
attackers. Why not also recommend that Chrome "Base64 encrypt" passwords? That
will stop approximately the same set of attackers as the lack of a master
password feature will.

~~~
interpol_p
It _does work_.

Security is about far more than preventing determined, malicious attackers. It
is also about being able to use your computer in a work or family environment
with a reasonable expectation that your privacy will be maintained without
explicit effort on your part.

You call them "attackers" but that is not who we are discussing. We are
talking about people being able to casually browse your saved passwords,
perhaps without even the intent to attack (maybe they just want to see what
your passwords are).

Nor is this about the "incompetence of attackers." As soon as you add an extra
step — such as requiring a master password to show a particular instance of a
saved password — you increase the breach of trust required for a friend to
violate your privacy. And it's not simply whether you trust someone or you
don't, there are levels of trust between friends.

I have some friends that I would trust not to attempt to defeat my security,
but I would not trust them not to casually browse my passwords. In this
instance I would be safe with Safari but not with Chrome. See the difference?
Chrome could easily implement Safari's solution for this and be better for it.
Why defend the inferior design?

~~~
tptacek
I'm sorry, but I feel like I've had this pointless, silly debate my whole
career, starting with comp.security.unix, continuing through my brief time
working with OpenBSD and 90's Bugtraq, and through about a decade of helping
startups with software security, and I've lost a lot of my patience for it.

Security is measured in dollars; it is about the cost you confront your
adversary with. Chrome has sunk many millions of dollars into blunting attacks
that cost 6, 7, sometimes 8 figures. You're up in arms about a security
measure that would add pennies (if that) of attacker cost. Justin and his team
(rightly) observe that in return for the pennies of extra effort the feature
you're demanding would add, they also incur a real risk that users will feel
safer leaving their accounts unlocked. As you've already acknowledged
repeatedly, if they do that, it costs pennies to get all their passwords.

There are all sorts of stupid extra steps you can add to make things harder
for computer-illiterate attackers to compromise your accounts. Like I said,
you could also Base64-encrypt the passwords. Or ROT14 them. Or Base64 and
ROT14 them. How about you turn that into a round function and write the
Base64+ROT14 Feistel network? That'll surely dissuade _someone, somewhere_
from capturing passwords.

You will no doubt be able to come up with a 4 paragraph response to this
comment. In ~20 years, I've never been able to deliver a killing blow in this
stupid debate.

~~~
interpol_p
You have completely missed the point. This issue does not relate malicious
attacks. It is about the _intent_ required for a friend or co-worker to breach
your trust.

Chrome lowers the barrier and makes access casual where other systems require
a stronger level of intent. That's the problem. _I have no idea why you are
defending this behaviour_.

~~~
tptacek
So again: they should display an FBI warning, just like they do on DVD movies.

~~~
interpol_p
Securing the password page is not remotely similar to an FBI warning on a DVD.

One requires a bit of manual effort and thought to get over for the casual
user, the other becomes ignored by the casual user.

------
cclafferty
I think Chrome's implementation of security is flawed. If you stop thinking
about this security as being a switch which is on or off and instead as a
granular scale then you'll agree that Chrome's password handling is as low on
that scale as possible. Now just so you know, I'm agreeing that Chrome can't
fully lock down your passwords and I'm OK with the reasons why (convenience),
but their doing something wrong here, they're not looking at the in-between.

The difference I see is if my spouse or boss wanted to look at my passwords
they could, easily. I'm not OK with that. Now, tell me they have to install a
trojan, a virus or some other software first to get access to my passwords and
thats a level of safety which stops my boss. My boss won't have the technical
know how to do it. My spouse could be looking just out of curiosity, the
smallest roadblock would stop them. Chrome's implementation makes it easy for
anyone to see passwords and that's just wrong!

The length of time anyone will have access to an unsupervised machine plays a
role here. It shouldn't take 5 seconds of pointing and clicking that my gran
could do to reveal all my passwords. It should take someone more effort!

------
smtddr
I don't think it's fair to call something a flaw because you disagree with it.
Google didn't do this by accident. It's a very purposely designed feature that
apparently a bunch of HN-folks just learned about and strongly disagree with.
Also, Firefox does this too...

And for the record, when I saw this feature 2 years ago I disagreed with it
too - but it's not a flaw.

~~~
joekrill
I absolutely agree. Although Firefox at least gives you the ability to set a
master password to add additional security. Chrome does not.

~~~
tptacek
They deliberately do not, because that password doesn't solve any security
problems, but does communicate to users that Chrome is doing something to
protect their account that it doesn't and can't do.

Firefox should lose the feature.

~~~
EliAndrewC
Can you clarify why the master password isn't offering any protection? It
encrypts your other passwords so that they are not stored in plaintext on the
filesystem; this alone seems like it's offering a little security, since my
(perhaps mistaken) assumption is that it's more likely for someone to be able
to read a file on your filesystem than to read in-memory passwords stored in
RAM.

EDIT: Your other comment at
[https://news.ycombinator.com/item?id=6173111](https://news.ycombinator.com/item?id=6173111)
probably explains your view on this; that there are few attacks in practice
which would be thwarted by encrypting passwords at rest, and that the false
sense of security on the part of the user would be disproportionately high.

------
ycitm
> The fact you can view the passwords means they are stored in reversible form
> which means that the dark coders out there will be writing a Trojan to steal
> that password store as we speak.

Surely they have to be reversible, or the browser wouldn't be able to use them
as passwords.

------
Kurtz79
Given that:

\- I understand the fact that the browser must be able to have the password in
plaintext at the moment of logging to a website.

\- I understand that if someone has access to my account on my computer then
is able to access all the sensitive information that I have stored unencrypted
on it, and not just my browser's passwords.

\- I understand that is not something new or ground-breaking, or even
something exclusively related to Chrome.

I still can't see how sensible having an option to show the passwords in
plaintext, without protection, really is. Many people (non tech-savvy people
in particular) for example do not lock their OS profile at all.

Requiring a Master Password by default (with the possibility of opting out in
the settings) before using/showing passwords, and storing these in crypted
form it would seem more sensible to me.

------
madsr
Why is Chrome named as the "bad guy"? If anything, Chrome reveals the issue,
by showing just how accessible browser-saved passwords are in the first place.
Do you think that it's impossible for malware to retrieve passwords from IE,
Firefox, Safari and Opera? Just how is it possible to import the passwords
from these applications, then?

This is not a security flaw. Comparing browser password storage to a safe is
mildly retarded.

~~~
meowface
>Do you think that it's impossible for malware to retrieve passwords from IE,
Firefox, Safari and Opera? Just how is it possible to import the passwords
from these applications, then?

It actually is impossible for malware to instantly send off all of your saved
passwords if you're using Firefox and have a (reasonably decent) master key
set up. I assume Opera has a similar master key option. The keyword however is
"instantly."

Now, the malware can and will still of course modify HTML on the fly and steal
your passwords immediately after you login to websites, but it would probably
take quite a bit of time for it to collect nearly as many passwords as there
are stored in your browser's password vault, especially if you use websites
that don't require you to re-login very often. And the longer that time window
is, the higher the chance the malware will be detected either by odd computer
behavior, or an AV detection.

They can also set up a keylogger and wait for you to input your master
password at some point. It can sometimes be hard to determine what logged text
is actually the master pass, due to how many keyloggers work, but this is of
course a viable option.

All-in-all, master passwords do in fact hinder attackers. The first thing many
malware spreaders do is dump browser and other saved credentials (often FTP,
sometimes IM accounts so they can spam malicious links to contact lists); it's
often a quick "in-and-out" dumping process. It's not uncommon for malware to
successfully execute and exfiltrate some data as soon as it's loaded, but
later as it infects other files or drops additional payloads, AV will fire and
the user will try to clean up the machine.

And then there are the very simple cases of "friend/acquaintance uses
computer, looks at your passwords really quickly, memorizes a few, goes home
and screws with your accounts at a later time." Master passwords make that
sort of situation fairly impossible.

I really do not personally see why Chrome doesn't allow master passwords as an
option. It would not be a security silver bullet, but it does help.

~~~
tyilo
Easier way would be to just wait for the user to enter the master key and then
decrypt the passwords.

------
Karunamon
Philosophy question:

Given that a user left their session unlocked (!) in the presence of someone
who is not them (!!) with a password file and other sensitive data in easy
reach (!!!) - why is it Google's problem that the end user violated the first
three rules of computer security?

*ed Downvotes don't answer the question, guys. At what point do you stop taking extraordinary measures to protect the user from their own lack of sense?

------
ColinWright
Same as reported here:
[https://news.ycombinator.com/item?id=6167331](https://news.ycombinator.com/item?id=6167331)

Interesting to see the Guardian newspaper quoting someone from Hacker News.

Same is also true of Firefox - find the right path through the menu structure
(different for each version) and reveal all your passwords.

Simple enough.

~~~
lucaspiller
> Interesting to see the Guardian newspaper quoting someone from Hacker News.

He isn't just some random commenter though, he is the tech lead of browser
security (according to his comment, which I'm guessing The Guardian didn't
actually verify :D)

~~~
tptacek
Justin is actually the Chrome security lead. He's also one of the authors of
The Art Of Software Security Assessment, and someone with god-knows how many
years experience in vulnerability research.

------
corobo
People can also browse My Documents if they're logged in to my account.
Microsoft should get this bug fixed asap.

~~~
interpol_p
Chrome should ask for the master Keychain password when you attempt to unmask
a password. It does not do this, and it could easily do this (like Safari
does). So it's a flaw.

Alternatively Chrome should inform the user that saved passwords are easily
readable in plaintext, so that users will not trust it as much. It does not do
this either.

There's a difference between browsing someone's private documents and having
permanent access to their email account via their password.

~~~
dragonwriter
> Chrome should ask for the master Keychain password when you attempt to
> unmask a password. It does not do this, and it could easily do this (like
> Safari does).

Well, except that you can just dump the passwords from Keychain without the
master password.

[https://news.ycombinator.com/item?id=4518873](https://news.ycombinator.com/item?id=4518873)

~~~
interpol_p
But that is completely missing the point relating to _intent_.

Browsing the Chrome's password page requires far less malicious intent than
finding/writing a script to dump someone's keychain passwords.

That's the main issue for me with Chrome. I know people that I wouldn't trust
not to navigate to chrome://settings/passwords, yet I would trust them not to
actively attempt to defeat my computer's security (no matter how feeble).

Chrome makes it easier to breach trust. A bad design.

~~~
dragonwriter
> But that is completely missing the point relating to intent.

Well, yeah, I'm certainly not seeing any point there.

> Browsing the Chrome's password page requires far less malicious intent than
> finding/writing a script to dump someone's keychain passwords.

No, it doesn't. It might require somewhat more effort, but it doesn't require
any different amount of intent.

> I know people that I wouldn't trust not to navigate to
> chrome://settings/passwords, yet I would trust them not to actively attempt
> to defeat my computer's security

Intentionally navigating to chrome://settings/passwords is no less an active
attempt to defeat security than doing a command line dump of the keychain
passwords is.

> Chrome makes it easier to breach trust.

Its trivially easy to breach trust in about a million different ways if you
are given unsupervised accessed to an unlocked OS user account with sensitive
information attached to it. Chrome does not make any significant difference to
that.

~~~
interpol_p
So you are defending the design of this system, even though it has a lower
barrier-to-access than the alternative (as implemented by Safari).

> Intentionally navigating to chrome://settings/passwords is no less an active
> attempt to defeat security than doing a command line dump of the keychain
> passwords is.

I know people who would navigate to chrome://settings/passwords right in front
of me as a way to annoy me — to force me to change my passwords. Their intent
would be to annoy and not to attack. The fact is that you need less
motivation, and less intent, to go to the password page than to deploy a
script / modify the DOM / do any number of other things to get a user's
passwords.

Navigating to that page _is less of an active attempt to defeat security_.
Hell, even I feel like it's something _I would try on someone 's machine_ when
I would never even consider breaching security in another way.

> Its trivially easy to breach trust in about a million different ways if you
> are given unsupervised accessed to an unlocked OS user account with
> sensitive information attached to it. Chrome does not make any significant
> difference to that.

I consider the difference to be significant. I want Chrome to improve its
design in this area.

Either securing this page or informing the user that their passwords are
readable would be _a better design_ than what is currently implemented. Are
you arguing this is not the case?

Just because you can do it a million other ways does _not_ mean you should be
fine with this way of accessing a user's private data.

------
lawnchair_larry
It amazes me that some of the security professionals are sufficiently out of
touch that they don't see this as an issue. The adversary in this case is the
casual non-technical observer who might have a minute to click around but not
install software to extract anything, it is not "hackers".

~~~
Karunamon
The adversary that can be trivially defeated by entering Meta+L before walking
away from your desk, or by not allowing untrusted randoms around your console?

------
peterwwillis
Right-click page

Click 'View page info'

Click 'Security'

Click 'View Cookies'

I just bypassed your Firefox/Safari/etc master password and owned your
session. OH NOES, SECURITY FLAW!!!! (I also downloaded a rootkit and installed
it in your user's home directory, but you probably don't find that as much of
a flaw as me getting your cookies. Right?)

I will say that encrypting the passwords on-disk is a nice thing if you care
about cold-rebooted disk attacks and don't implement disk encryption yourself.
But the game is mostly over if they have access to your machine. If the
machine is still on, a DMA or cold boot attack is probably going to net them
the passwords even on a master-password-locked browser, because the browser
still needs to access the passwords for forms without prompting you every
time.

------
vorbote
_Sigh_ This just goes to show what kind of damage people with little knowledge
and big egos can do. Ever read about Dunning-Kruger Syndrome folks? Now you
are witnessing a typical example in all its pathetism. And all started here in
HN.

------
dsr_
Firefox: Preferences: Security: Saved Passwords: Show Passwords: Yes, I'm
Sure.

And enter your master password if you use that, which you should, if you're
storing passwords at all.

------
DjangoReinhardt
Isn't it a known fact that, when asked, browsers store passwords in plaintext?
Why would anyone choose to let the browser 'remember their password' anyway?

~~~
ToastyMallows
I think this is the real debate. Since when did Browsers get into the
account/password storing industry? Isn't this why we have browser extensions
in the first place?

~~~
DjangoReinhardt
True that.

The answer is also kinda obvious. It started it as a matter of convenience
("I'm too f __king bored to type out my long-ass password " or "I have so many
passwords, I can't be bothered to remember them all" or "LastPass? What's
that?") and has remained so till date. In fact, it will continue to do so
until a zero-day exploit appears that can uncover these plaintext passwords,
which, judging by current events, doesn't seem too far away

------
jrochkind1
My OSX chrome definitely stores passwords in OSX Keychain Manager. Is that
like a special setting or plugin I activated and forgot, not just what it
always does on OSX? Or wait, am I somehow wrong? It sure looks like it's
storing passwords in keychain manager, in that all of my website passwords are
there in keychain manager.

------
jwcrux
I've already done analysis of most of the major browsers. It even hit the HN
front page a couple months ago:

[http://raidersec.blogspot.com/2013/06/how-browsers-store-
you...](http://raidersec.blogspot.com/2013/06/how-browsers-store-your-
passwords-and.html)

------
alternize
i don't get it. how is Chrome's handling different from Thunderbird's or
Firefox's? they too have the exact same functionalities accessible to anyone
sitting at the computer without extra security measures: Options > Security >
Saved Passwords > Show Passwords

~~~
sp332
If you have a master password set, Firefox makes you type it in before it will
show you the passwords. Chrome doesn't do that.

~~~
alternize
if... but the article mainly complained about not being obvious for "normal"
people that their password can be read. i have my doubts that it would be more
obvious for those people that they can (should) set a master password in
firefox.

------
hokkos
Chrome has a passphrase option for his sync capability why doesn't it use it
as a master password ?
[https://support.google.com/chrome/answer/1181035?hl=en](https://support.google.com/chrome/answer/1181035?hl=en)

------
jscheel
I didn't realize anybody took Chrome's password storage seriously.

------
itsallbs
How the hell did this make the HN front page? This is a tempest in a teapot.

------
nodata
_facepalm_

Next up: Android wireless passphrases are also stored unencrypted!

------
Doublon
Big news. Did they just start using Chrome at The Guardian?

