Google Chrome security flaw offers unrestricted password access

42 点作者 sstarr将近 12 年前

22 条评论

tptacek将近 12 年前

This is embarrassing. What The Guardian (and, earlier, HN) is describing simply isn't a security flaw; rather, HN appears to have had a mild temper tantrum over the lack of a cosmetic "security" feature that, had Chrome implemented it, could have just as easily led to another temper tantrum over how easy it is to bypass.

评论 #6172484 未加载

评论 #6173320 未加载

评论 #6172482 未加载

评论 #6172320 未加载

cclafferty将近 12 年前

I think Chrome's implementation of security is flawed. If you stop thinking about this security as being a switch which is on or off and instead as a granular scale then you'll agree that Chrome's password handling is as low on that scale as possible. Now just so you know, I'm agreeing that Chrome can't fully lock down your passwords and I'm OK with the reasons why (convenience), but their doing something wrong here, they're not looking at the in-between.The difference I see is if my spouse or boss wanted to look at my passwords they could, easily. I'm not OK with that. Now, tell me they have to install a trojan, a virus or some other software first to get access to my passwords and thats a level of safety which stops my boss. My boss won't have the technical know how to do it. My spouse could be looking just out of curiosity, the smallest roadblock would stop them. Chrome's implementation makes it easy for anyone to see passwords and that's just wrong!The length of time anyone will have access to an unsupervised machine plays a role here. It shouldn't take 5 seconds of pointing and clicking that my gran could do to reveal all my passwords. It should take someone more effort!

smtddr将近 12 年前

I don't think it's fair to call something a flaw because you disagree with it. Google didn't do this by accident. It's a very purposely designed feature that apparently a bunch of HN-folks just learned about and strongly disagree with. Also, Firefox does this too...And for the record, when I saw this feature 2 years ago I disagreed with it too - but it's not a flaw.

评论 #6172731 未加载

ycitm将近 12 年前

> The fact you can view the passwords means they are stored in reversible form which means that the dark coders out there will be writing a Trojan to steal that password store as we speak.Surely they have to be reversible, or the browser wouldn't be able to use them as passwords.

Kurtz79将近 12 年前

Given that:- I understand the fact that the browser must be able to have the password in plaintext at the moment of logging to a website.- I understand that if someone has access to my account on my computer then is able to access all the sensitive information that I have stored unencrypted on it, and not just my browser's passwords.- I understand that is not something new or ground-breaking, or even something exclusively related to Chrome.I still can't see how sensible having an option to show the passwords in plaintext, without protection, really is. Many people (non tech-savvy people in particular) for example do not lock their OS profile at all.Requiring a Master Password by default (with the possibility of opting out in the settings) before using/showing passwords, and storing these in crypted form it would seem more sensible to me.

madsr将近 12 年前

Why is Chrome named as the "bad guy"? If anything, Chrome reveals the issue, by showing just how accessible browser-saved passwords are in the first place. Do you think that it's impossible for malware to retrieve passwords from IE, Firefox, Safari and Opera? Just how is it possible to import the passwords from these applications, then?This is not a security flaw. Comparing browser password storage to a safe is mildly retarded.

评论 #6172389 未加载

评论 #6172376 未加载

评论 #6172508 未加载

Karunamon将近 12 年前

Philosophy question:Given that a user left their session unlocked (!) in the presence of someone who is not them (!!) with a password file and other sensitive data in easy reach (!!!) - why is it Google's problem that the end user violated the first three rules of computer security?*ed Downvotes don't answer the question, guys. At what point do you stop taking extraordinary measures to protect the user from their own lack of sense?

ColinWright将近 12 年前

Same as reported here: <a href="https://news.ycombinator.com/item?id=6167331" rel="nofollow">https://news.ycombinator.com/item?id=6167331</a>Interesting to see the Guardian newspaper quoting someone from Hacker News.Same is also true of Firefox - find the right path through the menu structure (different for each version) and reveal all your passwords.Simple enough.

评论 #6172221 未加载

corobo将近 12 年前

People can also browse My Documents if they're logged in to my account. Microsoft should get this bug fixed asap.

评论 #6172530 未加载

评论 #6173485 未加载

lawnchair_larry将近 12 年前

It amazes me that some of the security professionals are sufficiently out of touch that they don't see this as an issue. The adversary in this case is the casual non-technical observer who might have a minute to click around but not install software to extract anything, it is not "hackers".

评论 #6174975 未加载

peterwwillis将近 12 年前

Right-click pageClick 'View page info'Click 'Security'Click 'View Cookies'I just bypassed your Firefox/Safari/etc master password and owned your session. OH NOES, SECURITY FLAW!!!! (I also downloaded a rootkit and installed it in your user's home directory, but you probably don't find that as much of a flaw as me getting your cookies. Right?)I will say that encrypting the passwords on-disk is a nice thing if you care about cold-rebooted disk attacks and don't implement disk encryption yourself. But the game is mostly over if they have access to your machine. If the machine is still on, a DMA or cold boot attack is probably going to net them the passwords even on a master-password-locked browser, because the browser still needs to access the passwords for forms without prompting you every time.

vorbote将近 12 年前

Sigh This just goes to show what kind of damage people with little knowledge and big egos can do. Ever read about Dunning-Kruger Syndrome folks? Now you are witnessing a typical example in all its pathetism. And all started here in HN.

dsr_将近 12 年前

Firefox: Preferences: Security: Saved Passwords: Show Passwords: Yes, I'm Sure.And enter your master password if you use that, which you should, if you're storing passwords at all.

DjangoReinhardt将近 12 年前

Isn't it a known fact that, when asked, browsers store passwords in plaintext? Why would anyone choose to let the browser 'remember their password' anyway?

评论 #6174189 未加载

jrochkind1将近 12 年前

My OSX chrome definitely stores passwords in OSX Keychain Manager. Is that like a special setting or plugin I activated and forgot, not just what it always does on OSX? Or wait, am I somehow wrong? It sure looks like it's storing passwords in keychain manager, in that all of my website passwords are there in keychain manager.

jwcrux将近 12 年前

I've already done analysis of most of the major browsers. It even hit the HN front page a couple months ago:<a href="http://raidersec.blogspot.com/2013/06/how-browsers-store-your-passwords-and.html" rel="nofollow">http://raidersec.blogspot.com/2013/06/how-browsers-store-you...</a>

alternize将近 12 年前

i don't get it. how is Chrome's handling different from Thunderbird's or Firefox's? they too have the exact same functionalities accessible to anyone sitting at the computer without extra security measures: Options > Security > Saved Passwords > Show Passwords

评论 #6172599 未加载

hokkos将近 12 年前

Chrome has a passphrase option for his sync capability why doesn't it use it as a master password ? <a href="https://support.google.com/chrome/answer/1181035?hl=en" rel="nofollow">https://support.google.com/chrome/answer/1181035?hl=en</a>

jscheel将近 12 年前

I didn't realize anybody took Chrome's password storage seriously.

itsallbs将近 12 年前

How the hell did this make the HN front page? This is a tempest in a teapot.

nodata将近 12 年前

facepalmNext up: Android wireless passphrases are also stored unencrypted!

Doublon将近 12 年前

Big news. Did they just start using Chrome at The Guardian?