In Google Chrome, as in other browsers you can use a password generator to generate a strong password to be safe. But what if that does not matter because you can see each password stored in your Chrome Browser in plain text?
Chrome’s Password List
Chrome stores every password you save in Google Chrome’s password list (chrome://settings/passwords). To see the stored passwords in plain text you need to enter your main computer password. Normally.
But what if there is a way so see every password in plain text without entering your main password? Impossible? A major security leak?
You decide …
How it works
To see a stored password in plain text without using the main computer password, follow these steps:
- Go to a login page where you enter a password
- Open developer editor
- Search for the code of the password field
- Change type=“password“ into type=“text“
You see the stored password in plain text. It’s as simply as that.
I tried this on different sites and it worked. Here is an expample for the login page of german’s ecommerce Rossmann:
Are you safe?
With this bug none of your passwords are safe anymore. Everyone with access to your computer can see your website passwords without entering a master password.
Sure, everyone who has access to your computer can simply use the stored automated filled in credentials to login into every website, but that’s not the point.
Now everyone who has access to your computer knows your password – this is a huge difference. For instance this person could use it later on, on a different device and does not have to access your computer anymore. Further more, if you use similar, slightly different passwords, this person could use the known password to guess your other passwords much more easier.
What can I do?
The most obvious way to avoid others from reading your password:
Do not store any passwords in Google Chrome’s password list.
But if you keep going storing your passwords in the password list, be sure that nobody else has access to your computer.
Does Google know?
Yes, Google knows about this issue but does not take any action to resolve it as they stated that their Chrome Browser is safe.
Update: Works with every browser and it’s not unique to Google Chrome.