Look out - your passwords are easily accessible in Google Chrome. Photo: Elliott Kember

Look out – your passwords are easily accessible in Google Chrome. Photo: Elliott Kember

People who use Google Chrome – and save their passwords in the browser – should be aware of a feature that critics are slamming as a major security flaw.

Security experts have found that the web browser stores passwords (saved by users) in an unencrypted format.

All someone needs to do is go into Chrome’s password settings page, accessible by typing this into the address bar: chrome://settings/passwords
The browser will show a list of websites requiring usernames that you’ve saved in Chrome and the hidden passwords beside each login. Just click the ‘Show’ button beside a blocked out password to reveal the actual password.

So if anyone got access to the computer, or if the right virus wound its way on to your laptop, the password can be easily exposed and then used maliciously.

While you may have created the most challenging password containing upper and lower-case characters, numbers and symbols, it could be useless.

The flaw was exposed by software developer Elliott Kember on his blog (see photo attached).

Since the “bug” got attention, it’s prompted a response from Justin Schuh, who works on Chrome’s security.

In a response written on Hacker News, he points out that saved passwords are only as secure as the password attached to the operating system of the computer in question.

So if you don’t have a password to log into your Windows or Mac computer, you probably should start locking things down. Also, you should avoid lending your computer out to “friends,” and don’t leave your laptop open – even if you’re just stepping away for a quick moment.

He goes on to write:

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.