Google+ Google Chrome security flaw offers unrestricted password access ~ High Tech House Calls
Expert Computer Consulting for Homes and Small Businesses

Let there be hope...

Life has changed there is no doubt and we wanted to reach out to see how you are doing.

As we go through this interesting time, we are trying to look at this as an opportunity to focus on our family and on friends like you. Let us use this extra time to catch up and talk more. Let us cook food that is not fast, but interesting and satisfying. Let us learn to enjoy a time to try new things. Let us find ways to enjoy time at home!

Computer Security

If my client base is any experience, anyone can be a victim of a Ransomware, Malware or Virus attack.

What can you do about it?

I conduct audits of your entire computer infrastructure and apply best practice solutions to plug the security holes on your computers, Smartphones and networks.

Now offering consultations to give you the best protection possible:


404.229.0839
carlthorne@hthcatlanta.com

Jack of All Trades, Master of Many

Jack of All Trades, and Master of Many

We provide technical support for:


Homes and small businesses

Windows and the Mac OS platform

iPhones and Android Smartphones

Wireless and wired networks

New device setup

Old device upgrade or repair

One-on-one training

Remote assistance


How To Stop Malware

Wednesday, August 7, 2013

Google Chrome security flaw offers unrestricted password access

by Charles Arthur   theguardian.com, Wednesday 7 August 2013 05.57 EDT   

Plain text logon details for email, social networks and company systems stored in browser's Settings panel

A serious flaw in the security of Google's Chrome browser lets anyone with access to a user's computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.

Seeing the passwords is achieved simply by clicking on the Settings icon, choosing "Show advanced settings…" and then "Manage saved passwords" in the "Passwords and forms" section. A list of obscured passwords is then revealed for sites - but clicking beside them reveals the plain text of the password, which could be copied, or sent via a screenshot to an outside site.

But the head of Google's Chrome developer team, Justin Schuh, said he was aware of the weakness and that there were no plans to change the system.

That response was described by Sir Tim Berners-Lee, the British inventor of the web, as "disappointing". He characterised the flaw as "how to get all your big sister's passwords".

Chrome is one of the three most widely-used browsers on desktops worldwide, along with Microsoft's Internet Explorer and Mozilla's Firefox. It has millions of users and is seen by some as crucial to Google's future efforts to monetise web use, by tying users to Google accounts and synchronising between their desktop and mobile systems.

Elliott Kember, a UK-based software developer from New Zealand who discovered the flaw, commented: "In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority. They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."

Other browsers have previously had similar flaws with password visibility - and closed them. In 2010, Firefox was revealed to use the same "plain text" storage that Chrome is being criticised for - and added a master password option requirement. Some versions of Microsoft's Internet Explorer have also had the same failings. Apple's Safari requires the user to enter a master password before it will show stored passwords.

Schuh wrote on Hacker News that "We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything."

However the position was criticised by other developers. "A good safe is judged by the time required to break it," wrote "marcgg". "There is no safe that is unbreakable, you just need to put enough time, effort and noise to open it. Same thing could be applied here. Installing software, dump the cookies and so on requires time. Right now with this security a person could get my password in a couple of clicks with almost no technical knowledge."

One security manager at a publishing company said: "The fact you can view the passwords means they are stored in reversible form which means that the dark coders out there will be writing a Trojan to steal that password store as we speak."