A security flaw in Google's Chrome internet browser can let anyone view a user's entire password collection with just a few seconds of physical access to their computer.

Google Chrome imports user passwords automatically along with bookmarks, and makes them visible without a master password. (Credit: Google)

By default Chrome offers to store the passwords of websites you visit - such as Facebook, Twitter and your email client - as you browse, but unlike other browsers Chrome does not give its users the option to protect these with a master password.

Instead, visiting 'chrome://settings/passwords' in the browser will bring up a list of every password the user has saved, and although they are initially censored, clicking 'show' reveals each and every password without the need to enter a master password.

Therefore, if a computer is left unattended for a few minutes, or is stolen and doesn't require a password to log into the desktop, the passwords to a user's entire online life can be found in seconds.

Passwords do not even need to be entered through Chrome to be visible in this way; a user exporting bookmarks from another browser to Chrome for the sake of keeping both browsers in sync is told that their passwords will also be copied over. Although 'Saved passwords' is a checkbox, it is checked and greyed out, making the password sync from Firefox to Chrome compulsory.

The flaw was first discovered and publicised by website developer Elliott Kember, who called the problem Chrome's "insane password security strategy" in a blog post.

Kember, who found the problem when exporting bookmarks from Safari to Chrome, said the browser is "deeply misleading" by giving the "illusion of choice" when in reality a user has no choice as to whether their passwords are imported or not.


Responding to Kember complaints, head of Chrome security technology, Justin Schuh, said that even if the browser supported a master password, that wouldn't stop a hacker with physical access to a victim's computer from installing malware and obtaining passwords.

"We don't want to provide users with a false sense of security, and encourage risky behavior," Schuh said. "We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get."

Referring to Chrome's mass-market appeal and its consumers, Kember added: "They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."

Confidential information

The flaw is even more of a problem on Apple's Mac OS X software. When a new password is entered while using the browser, OS X states that Chrome "wants to use your confidential information...in your keychain. Do you want to allow access to this item?"

By using language like 'confidential' and referring to OS X's master password-protected Keychain application, the message indicates that the new password will be safe, and Chrome's knowledge of it will be as secure as Keychain, but this is not the case.

Computer security expert Graham Cluley blogged in response to Kember's findings, saying: "It's hard to see how Google can justify not putting an extra level of protection in place when other browsers have adopted similar techniques."

Cluley says "it seems very odd" that Chrome insists users import passwords along with their bookmarks from other browsers, especially as Chrome "isn't offering the most rudimentary level of protection...Google's handling of the situation seems particularly lax."