12

Google Chrome ‘hack’ is an open invitation

… to parents, kids, spouses and friends. (The people most likely to spy on you.)


 

If you have three minutes alone with a Google Chrome user’s computer, you can access all their passwords—Gmail, Facebook, Twitter, whatever—then quickly cover your tracks.

It’s not a hack, per se. It’s a little-known feature designed to help users remember passwords and avoid the hassle of constantly hitting those “forgot your password?” buttons.

In just four clicks, you can find yourself face-to-face with a list of each password they’ve let Chrome save.  Jot them down and close a window, and you’ll be gone in 60 seconds with the user’s keys. I won’t provide explicit instructions, but if you’re curious, you won’t have any trouble finding them.

Any intruder can then spy on a target’s accounts in secret or hijack them from the comfort of their own home, changing the target’s passwords and doing damage of all sorts until the target contacts security departments, proves their identity and wrests back control.

You can’t disable the function, but you can delete all saved passwords and instruct Chrome not to save passwords in the future. This will mean entering your passwords every time you log into a site, so even users who know how to do this won’t likely bother.  The whole thing is being described by security experts and by the tech press as a major security flaw, but the engineers at Google say they’re just keeping it real.

“We don’t want to provide users with a false sense of security,” wrote Chrome developer head Justin Schuh on Hacker News. His point is that if you allow someone access to your machine, they can get their hands on anything. Obscuring saved passwords behind some “master password” would do little to stop a malicious guest.  If you have social media accounts open, they could mess directly with settings. They could install malware or spyware, recording your keystrokes. They could type “password” into your Spotlight search bar and see what comes up in old Word documents. Google doesn’t want to close your window with cardboard when your front door may be wide open. Google wants you to be vigilant!

It’s a strange ideological stand. The truth is, most of us don’t worry that malicious hackers with malware on USB keys will get hold of our computers. The hackers we really need to worry about are our parents, kids, spouses and friends. As with many crimes, the privacy invasions that happen most and hurt the most are perpetrated by people we know and trust.

I’m not saying Russian fraudsters and NSA spooks don’t matter. Outside threats to our privacy are destructive in minor and major ways, creating everything from pesky banking hassles to existential threats to free societies. But let’s pause to recognize the vast damage done, largely unreported, by our loved ones.

You might not call it “hacking,” but every time a suspicious dude glances at an incoming text on his GF’s phone, every time a mom can’t resist a peek at her daughter’s open Facebook page, every time surfing histories are checked for porn sites, or old emails are searched for an ex’s name, life-changing consequences are possible. Our GPS whereabouts or smartphone metadata might not mean much or matter much to the government bots that are probably tracking them. But those who know us best know what our data means. A stop at a certain street corner might mean a donut we weren’t supposed to eat or a rendezvous we weren’t supposed to have.

Google makes tools, and tools should serve the interest of their users. I lock my bike, not because I think bike locks are infallible, but because an unlocked bike is an invitation to steal. By placing our passwords four clicks away, Google is inviting us to hack each other.

Follow Jesse on Twitter @JesseBrown


 
Filed under:

Google Chrome ‘hack’ is an open invitation

  1. I couldn’t have said it better… Great article! I’ve been trying to raise awareness of this issue for months… I am so happy that it’s finally being exposed to the people who actually use Chrome.

  2. This is pointless. The same is true in most major browsers.

    In any case, only an amateur would save their passwords without strong encryption.

    • Firefox allows a user to hide all passwords unless a master password has been entered. It has had this feature for years.

      I just had a look at Chrome and what JB says appears to be true. Unbelievable! Google can dismiss this all they want — I’ll bet this feature will magically appear in a future update.

      • The opposite is true, actually. By default, Firefox doesn’t protect passwords _unless_ you have a master password set. Like Chrome, you have to explicitly request that the password be shown, but all of the saved passwords can be viewed from one location (Preferences/Options->Security->Saved Passwords->Show Passwords). While you have to click a couple more times, it really is just as simple as Chrome, and Safari is pretty much the same.

    • @theskuj – I just had a look at Firefox, Safari, IE10 and Opera and Chrome. Google Chrome is the only browser that makes password retrieval so easy.

      Want proof? Just use Google to search for “[whatever browser] saved password retrieval.”

    • Passwords should never be saved, period, no exceptions, end of story.

  3. The headline says google chrome hack, the story says its not a hack per se. The author wouldnt keep their job long in my news office.

    • Hack is in quotes, implying it isn’t really a hack

  4. If people are worried about their passwords, then they shouldn’t be using a browser to save them. The secure thing to do is use lastpass or 1password to manage your passwords.

  5. It took me less time time to figure out the saved passwords in Chrome than it did for Chrome to actually load and appear. LOL

  6. Firefox does the same thing, and I’m certain you have to go in and enable a master password. Otherwise, it’s the same situation. And this is not just “not a hack per se” but completely not a hack, whatsoever, by any definition. This is more like rifling through your sock drawers because someone knows you wrote down the combination to your safe on a piece of paper. A “hack per se” would be cracking that lock somehow.

  7. I was really bothered by this too. If I let someone use my computer I don’t want it to be that easy for them. I don’t think my gf would ever install a key logger on my laptop, but I wouldn’t put checking my passwords past her.

    I admit I’m the same. If I thought maybe my gf was cheating on me I’d feel a hell of a lot more guilty about installing a key logger, and would be a hell of a lot more scared of being caught doing so (it would take time and she could find it on there), whereas just quickly looking at her passwords and checking her email / facebook doesn’t seem so bad. It’s almost impossible to catch me, it’s much less work, and is just a lot better of an option.

Sign in to comment.