Google security lapse uncovered by Kiwi developer

Photo / AP

A security flaw in Google's Chrome web browser, which lets anyone with access to a user's computer see all their stored passwords, has been discovered by a Kiwi software developer.

Elliott Kember uncovered the security hitch, which allows users to see other people's email, social media and personal account passwords directly from the settings panel, without any other password being entered.

As well as opening up possibilities for identity fraud, the discovery could have serious consequences for businesses if a user stored their company logins on Chrome, and left their computer unattended with the screen active.

Mr Kember detailed the process on his blog, under the headline: "Chrome's insane password security strategy."

Simply typing chrome://settings/passwords into the Chrome browser will bring up a list of the user's login details, accompanied with a 'show' button which reveals the hidden passwords in plain text.

Anyone with access to another user's computer could then copy down all the passwords to their online accounts.

In his blog, UK-based Mr Kember said Google isn't clear about its password security.

"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority," he wrote.

"They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."

He added that a dialogue box where Chrome asks for access to confidential information is "even more misleading".

"By using words like 'confidential information' and 'stored in your keychain', OSX describes the state of your saved password's current security," he wrote.

"It's the very security Chrome is about to bypass, by displaying your passwords, in plain-text, outside your keychain, without requiring a password.

"When you visit a website, Chrome prompts for every password it can find for that domain."

However, Google's head of Chrome security Justin Schuh has said the company is aware of the weakness and has no plans to change it.

"We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works," he wrote on Hacker News.

"We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour.

"We want to be very clear that when you grant someone access to your OS user account, that they can get at everything."

Chrome is one of the three most widely-used browsers on desktops worldwide, alongside Microsoft's Internet Explorer and Mozilla's Firefox.