Browser security flaw could put passwords at risk

Browser security is one key to protecting an organization’s network, since the majority of security attacks come from the Internet. But security experts recently uncovered a flaw in a popular browser that could leave users open to a different kind of threat. 

In addition to acting as a gateway to Internet — and therefore, all web-based security threats — web browsers can also hold a lot of valuable information, such as users’ passwords for various sites and accounts.

And in the case of Google’s Chrome browser, some intruders may get easy access to those passwords.

The problem, as described by software developer Elliot Kember: Anyone with access to a Chrome user’s computer can quickly see all of the person’s saved passwords in plain text.

All the snooper has to do is navigate to the browser’s Settings panel and click “Manage saved passwords.” That displays all the accounts with passwords saved to the machine. The passwords themselves are hidden — but each box has a button labeled “Show” that, when clicked, displays the password.

Risks from malicious insiders

While that may cause some alarm for those who use shared computers at home, it could also create significant risks in the office.

IT often tells users not to write their passwords down on sticky notes attached to their PC. But storing account information in plain text means passwords could be stolen any time users leave their machines unattended.

To prevent that from happening,the  prompts asking users to store their passwords in the browser can be disabled by un-checking the box next to “Offer to save passwords” in Chrome’s settings panel. An external password manager can be used to store passwords more securely.

Of course, Chrome isn’t the only web browser that saves and stores users’ passwords. Mozilla Firefox, another popular option, also allows anyone using a computer to view a list of stored passwords.

That browser, though, allows users to set up a “master password” to limit access to only authorized users. The only catch is that the feature is off by default and must be activated.