Chrome's Hidden Password Feature is ****ed
Chrome's Hidden Password Feature is ****ed
Posted 01/29/2009 at 8:00am
| by Paul Lilly
4
Comments
Print
Google's rap sheet when it comes to goofy exploits gives us pause to wonder if the company might be spending too much time concentrating on Cloud computing and not enough on security fundamentals. Back in July of last year, a SecurTeam blog exposed a Google Calendar flaw which made it possible to expose any Gmail user's real name with minimal effort. More recently, an exploit in Gmail allowing hackers to redirect your email was discovered. Now someone has stumbled onto an interesting vulnerability in Google's Chrome browser.
When you visit a site with an http password protected directory -- or try logging into your router, such as 192.168.1.1 for Linksys owners -- an Authentication Required pop-up appears asking for your for your login credentials. Your password should look something like ••••••••, but according to NeoBlog user tekmosis, if you let Chrome save your credentials to auto-fill the form, the next time you log in, copying and pasting the hidden password into a plain text application will reveal the actual ASCII characters.
We put tekmosis' discovered exploit to the test and as it turns out, you don't even need to have Chrome save anything. We tried logging into our router, typed our password, and it was immediately revealed when we copied/pasted it into Notepad.
While it might take a little work on the part of a hacker to take advantage of this vulnerability, it's one that should never have existed in the first place. You could make an argument that all exploits should never have existed, but this one just seems like a particularly glaring oversight.
More like this
winmaster
January 31, 2009 at 6:00pm
I never even thought of copying and pasting passwords. Like the person right below me (unless someone sneaks a comment in while I'm typing this), I don't see how this matters. The only way someone could get that password in that manner is if they had physical access to my machine, in which case they can get a lot more than my password. Hell, they could copy my whole hard drive to an external one.
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
neo1piv14
January 29, 2009 at 8:26am
I'm not getting how this is such a big deal. Anyone that's really after my personal data and is sitting at my computer is going to get my data no matter how secure the browser is, no matter what precautions I take. If the physical security of the machine is compromised, it's just a matter of time. Besides, has anyone noticed that in Firefox, you can just click the button that says "Show Passwords," and it'll show you every password for every site that you have saved. So someone sitting at my computer that clicks that button knows every site that I go to (even if they don't show the passwords for them), and assuming they compromise the one master password, now has access to all of them. I guess I just don't see it as a glaring exploit if you have to me in front of my personal computer to do it.
gibsurfer84
January 29, 2009 at 5:22pm
Ever hear of a drive-by hack? Ever hear of phishing sites? Ever hear of viruses? Ever hear of Maleware? Guess not. Thats probably why your SS# is on the black market.
nduanetesh
January 30, 2009 at 1:46pm
I like how you just threw a bunch of scary sounding terms out there without actually addressing the guy's point. Well argued sir. Well argued.
Connect with MaximumPC
Featured Content
We introduce Intel's latest class of tablet killers and review 4 of the first Ultra...
Where have all the memorable videogame enemies gone?
This month's issue
Feature
11 Hardware Hacks
Feature
Overclock Your CPU
How-To
Supercharge Your Smartphone
Build It
A Powerful $830 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Analysts: 9-Inch Kindle Fire This Summer http://t.co/QDYApwCZ1 day 2 hours ago
- maximumpc: Micron: DRAM Prices Likely as Low as They're Going to Get http://t.co/fFUWuFOm1 day 5 hours ago
- maximumpc: Yar, Mateys! All Of Pirate Bay Made Available As A Single 90MB Zip File http://t.co/j5LHlXEZ1 day 6 hours ago
