Show passwords feature is a serious security issue in Firefox and Chrome
Friday, June 12, 2009 9:20:13 PM
Yet they both fail at their very core feature. They serve ALL your passwords to any, even the dumbest user that can get physical access to your browser. As much as this doesn't seem to concern anyone at Google or Mozilla, it certainly concerns me. And it should also seriously concern you, if you are the user of either Firefox or Chrome. Why the hell is this feature even there? Sure you can hack passwords out of storage Firefox/Chrome files, but tell me, how many average users can actually do that?
I bet 90% of them don't even know what's a "profile folder". But here, it's just a click away. Served on a silver platter to anyway. There goes all the security out the window...
There is of course the "Master Password" feature which couldn't be any more useless than it is.
Instead locking the "Show password" function alone, it locks the entire browser. How f**kin' gay is that? Sure it may come in handy for something, but they could just as well make two lock down features.
"Master browser lock" and "Master password lock". The first would lock the entire browser from unauthorized access without password and second one would just prevent anyone from accessing ALL of your passwords while giving free access to all other browser features (so you can actually browse the web).
There was a surprise after checking few other browsers however. Opera, Safari and yes, even Internet Explorer 8 don't show any passwords to everyone. You can see what pages have password stored and what is the user name used there, but there is no way you can see the actual passwords.
I'm using Firefox and this really concerns me. All passwords are just a click away. Yeah, you can check it and see it for yourself under Tools\Options\Security -> Saved passwords.
Chrome is no better. But Opera, Safari and IE8 surprised me. They actually have this done right.
I especially don't get it why they left this in there while they are constantly working on security fixes, implementing new security features and so on. But it seems they only care about remote stuff.
Local access is just as problematic as remote people.
So, if you're in any way affiliated with either Mozilla or Google, or if you know the right people there, let them know that this is a serious security issue that needs to be addressed soon.