View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Security flaw ‘not unique to Google Chrome’

Stored passwords can be stolen from any browser, says security expert.

By Joe Curtis

A Google Chrome security flaw that offers access to stored passwords is not just restricted to the search engine firm’s software, it is claimed.

A software developer pointed out the flaw to the Guardian on August 7, demonstrating that by clicking on the settings in Google’s browser he was able to view a list of stored passwords.

A security expert told the newspaper that by storing passwords in plain text, Google was rendering them vulnerable to Trojan attacks designed to interrogate password vaults in browsers.

However, the CTO of single sign-on firm SaaSID, Richard Walters, said the security flaw was neither new nor unique to the search engine giant.

He said: "This issue is not restricted to Google Chrome, most browsers offer the ability to store passwords. The Chrome password store is well architected and acts as a ‘black box’ to legitimate software developers as well as malicious code authors.

"In Firefox, if users don’t set a master password, then passwords can be accessed in plain text easily with just a handful of lines of code.

"This points to the need for businesses to educate employees on the use of common browser features and the associated risks. Alternatively, businesses can implement an enterprise-grade single sign-on solution.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

"Chrome includes a setting to ‘Offer to save passwords I enter on the web’, as well as the option to synchronise stored passwords to a Google account, so that they are available on other devices.

"Employees need to be made aware of these settings and IT staff may wish to remove them using Chrome policies. Enterprises should also consider employing server-side authentication to protect passwords from being compromised."

Server-side authentication prevents log-in details from being stored on personal devices.

Because users do not know their login details, they cannot have them stolen via malware on the device.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.