A few months after the bug was discovered, Google's decided it should experiment with a fix for its Chrome password exposure bug feature. As El Reg noted back in August: “If the victim, shall we say, is using Chrome, surf over to chrome://settings/passwords, click on a starred-out saved website password and click on "Show"; …
Good to see Google finally get off their collective butts and make an attempt to fix this gaping hole.
Also, love the idea of using the OS credentials for authentication instead of setting a master password. However, what happens if the user has not set a password for his/her user account?
Re: Long overdue
Then they only have themselves to blame if they let some miscreant loose on their computer
"A few months after the bug was discovered"?!
This "bug" has ALWAYS been in Chrome. See http://productforums.google.com/forum/#!topic/chrome/k6JmRoGJp5w%5B1001-1025-false%5D from 2008!
Remember kids: Chrome is the fastest and most secure browser.
... your passwords are also securely stored on Google servers....
This is considered a bug? Given that Firefox behaves in the same way when asked to show stored passwords, I'd just assumed it was the intended behaviour in Chrome too...
You can set a master password in Firefox which is then demanded if you want to look at the stored passwords (at least in the preferences GUI) and (possibly) before it will give certificates out.
But Firefox has a "Timeout master password" feature that keeps miscreants at bay (if the user has set a master password). It also requires the user to RE-enter his master password to view passwords.
This wasn't a bug, but by design... bad design.
Glad Google have finally decided to cave in and listen to user feedback, but annoyed it took so long to add this feature.
Recall reading somewhere Google said it's because they didn't want to give a false sense of security - although it is a layer of security once the system is compromised.
As mentioned, how is this a bug. if you want to share accounts with somebody on your device then make sure you select the option not to save password, common sense really.
Also as already mentioned, firefox is exactly the same.
And as mentioned before - Firefox is NOT exactly the same. It has a master password option.
Hopefully they will remember to password protect the flag as well.
Surf to chrome://flags/#enable-password-manager-reauthentication
Surf over to chrome://settings/passwords,
Click on a starred-out saved website password and click on "Show";
Rinse and repeat down the list.
Voila, you can see his or her passwords in plain text.
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...