If you have three minutes alone with a Google Chrome user’s computer, you can access all their passwords—Gmail, Facebook, Twitter, whatever—then quickly cover your tracks.
It’s not a hack, per se. It’s a little-known feature designed to help users remember passwords and avoid the hassle of constantly hitting those “forgot your password?” buttons.
In just four clicks, you can find yourself face-to-face with a list of each password they’ve let Chrome save. Jot them down and close a window, and you’ll be gone in 60 seconds with the user’s keys. I won’t provide explicit instructions, but if you’re curious, you won’t have any trouble finding them.
Any intruder can then spy on a target’s accounts in secret or hijack them from the comfort of their own home, changing the target’s passwords and doing damage of all sorts until the target contacts security departments, proves their identity and wrests back control.
You can’t disable the function, but you can delete all saved passwords and instruct Chrome not to save passwords in the future. This will mean entering your passwords every time you log into a site, so even users who know how to do this won’t likely bother. The whole thing is being described by security experts and by the tech press as a major security flaw, but the engineers at Google say they’re just keeping it real.
“We don’t want to provide users with a false sense of security,” wrote Chrome developer head Justin Schuh on Hacker News. His point is that if you allow someone access to your machine, they can get their hands on anything. Obscuring saved passwords behind some “master password” would do little to stop a malicious guest. If you have social media accounts open, they could mess directly with settings. They could install malware or spyware, recording your keystrokes. They could type “password” into your Spotlight search bar and see what comes up in old Word documents. Google doesn’t want to close your window with cardboard when your front door may be wide open. Google wants you to be vigilant!
It’s a strange ideological stand. The truth is, most of us don’t worry that malicious hackers with malware on USB keys will get hold of our computers. The hackers we really need to worry about are our parents, kids, spouses and friends. As with many crimes, the privacy invasions that happen most and hurt the most are perpetrated by people we know and trust.
I’m not saying Russian fraudsters and NSA spooks don’t matter. Outside threats to our privacy are destructive in minor and major ways, creating everything from pesky banking hassles to existential threats to free societies. But let’s pause to recognize the vast damage done, largely unreported, by our loved ones.
You might not call it “hacking,” but every time a suspicious dude glances at an incoming text on his GF’s phone, every time a mom can’t resist a peek at her daughter’s open Facebook page, every time surfing histories are checked for porn sites, or old emails are searched for an ex’s name, life-changing consequences are possible. Our GPS whereabouts or smartphone metadata might not mean much or matter much to the government bots that are probably tracking them. But those who know us best know what our data means. A stop at a certain street corner might mean a donut we weren’t supposed to eat or a rendezvous we weren’t supposed to have.
Google makes tools, and tools should serve the interest of their users. I lock my bike, not because I think bike locks are infallible, but because an unlocked bike is an invitation to steal. By placing our passwords four clicks away, Google is inviting us to hack each other.
Follow Jesse on Twitter @JesseBrown