updated 11:37 am EDT, Wed August 7, 2013
URL exposes saved passwords
Google has come under fire for leaving saved passwords unprotected in its Chrome browser. Web developer Elliot Kimber has brought attention to the issue, noting that a user's saved passwords are easily exposed when the browser is directed to a settings URL. Although viewing the passwords requires direct access to the computer on which they are saved, Kimber argues that many users are unaware that such information is accessible without entering a master password.
"Google isn't clear about its password security," Kimber writes in a blog post, which was referenced in a report by The Verge. "[Users] don't expect it to be this easy to see their passwords."
When Chrome is asked to import passwords in OS X, users encounter a prompt that requires approval for the browser to "use your confidential information stored in your keychain." Kimber suggests the wording is misleading, lacking any explicit warning that passwords will no longer be protected.
Responding to the blog post, Google's head of Chrome Security, Justin Schuh, suggests the company does not want to provide users with a "false sense of security" and "encourage risky behavior," rather than supporting a master password or other security protection, according to a blog post on Y Combinator.
"We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get," Schuh added.
In a follow-up response, Schuh suggests any change in Chrome would actually make users "less safe than they are today," and "that's just not how we approach security on Chrome."