Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Secuity flaw in Google Chrome?
1 point by skid on Feb 25, 2012 | hide | past | favorite | 4 comments
I was at a friend's party a week ago and he was playing music on youtube. I mistakenly logged into his Google Chrome (this is a recent feature) with my google account and logged out immediately when I realized my mistake.

Some days later I logged in and connected my own Google Chrome with my google account. I got all the friend's bookmarks, which is ok. A day later, I opened the browser and tried to log into gmail (I didn't have the "remember me" option turned on) and I got my friends email AND password pre-filled in the gmail login form. I could read his password with document.getGetElementById('Passwd').value.

Has anyone also done this? Google is apparently syncing your passwords unencrypted.



Not a security flaw, you just synced his browser settings with your account. The proper way to log into another person's Chrome is by adding a new user in the "Personal Stuff" area first.


I think the security flaw here is that google is keeping your password unhashed somewhere on their servers.


chrome://settings/syncSetup

Passwords are encrypted by default, the other option is to encrypt all synced data.

You should clear your friend's sync data from your dashboard BTW: https://www.google.com/dashboard/


I guess it's ok. But they should make it more obvious when you first log into chrome.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: