Does Google Chrome reflect broader browser issue?
Last week, software developer, Elliott Kember, blogged that clicking on Chrome’s settings would return browser passwords in plain text if a thief briefly gained access to an unattended computer. Several publications reported on this apparent “security flaw” in the Google Chrome browser.
Kember complained that, while the Chrome password store is designed to make it easier for consumers to use multiple passwords for different web applications, it is inherently insecure to have these saved in plain text within the browser.
Google has responded that giving anyone else access to your computer operating system renders it insecure and providing a master password would simply give consumers a false sense of security and encourage risky behavior.
Another expert warned that storing passwords in plain text also renders them vulnerable to malware designed to harvest passwords saved within browsers, so a data thief wouldn’t need to physically access the machine.
Writing in Wired, former Black Hat, Kevin Poulsen, agreed with Google that using a master password will not prevent a determined hacker. However, he suggests that Google could include a barrier to slow down unskilled opportunists from accessing the password store.
What Kember has failed to mention is that the storage of browser passwords is not restricted to Google Chrome, most browsers offer the ability to store passwords. If Firefox users don’t set a master password, then all log in details can be accessed easily, in plain text, with just a few lines of code.
The issue that this story really highlights is the use of IT features within the corporate world that were originally designed to provide convenience and ease of use to consumers. Security is often inconvenient and slows you down. This is why organisations have seen an increase in shadow IT, because consumers want to enjoy the same rapid access to applications and information, without being interrupted by security controls. There is an expectation among employees that they should be able to search, download and begin using an application within minutes on a mobile device, or browse the web, sign up with a company credit card and start consuming a SaaS-based service almost as quickly.
Before they make the move to cloud-based services, businesses must re-educate employees on how to safely use common browser features. IT managers cannot rely on employees to consider the risks associated with storing passwords in clear text within the browser. They must explain the potential consequences and put additional controls in place.
Chrome includes a setting to “Offer to save passwords I enter on the web”, as well as the option to synchronize stored passwords to a Google Account, so that they are available on other devices. Employees need to be made aware of these settings and IT staff may wish to remove them, using existing Chrome policies. Alternatively, businesses can implement an enterprise-grade Single Sign-On solution so that employees (or hackers) cannot access their passwords.
Enterprises that are moving to the cloud should also consider employing server-side authentication to web applications, to protect passwords from being compromised. Server-side authentication prevents web login credentials from being stored on devices. Users do not know their login details, so they cannot write them down, share them, or have them stolen via malware on the device.
By Richard Walters
Richard Walters is CTO of SaaSID, a vendor of web application control and auditing software that enables businesses to govern web applications with on premise equivalent authentication, application control and auditing.