Please fix plaintext credential storage in Chrome
In the process of doing some browser fingerprinting research, I stumbled upon a curious file in my personal chrome profile named ‘Login Data’. Poking around a bit, it looked to be a sqlite database which contained every username/password I’ve ever told Chrome to remember.
This isn’t a new or particularly exciting discovery — it’s been written about in the past. The Chrome browser security tech lead made a comment about how they came to the decision (yes, that’s what it was) to store ‘remembered’ credentials in plain text, an argument heavily based on the assumption that if there was a compromise it’d be at the browser/OS level. In addition, there are ways to set a master password on Chrome so it prompts you for your OS user password whenever you try to access your credentials from the browser (via chrome://settings/passwords).
Well, it turns out that chrome saves profile data to ~/.config/google-chrome on (most?) *nix systems. It also turns out that every chrome profile is initialized with a nice little README file :
When you put two and two together, you have a tidy way to assess just how many people accidentally commit their chrome profile to their dotfile dump (spoiler: it’s a lot). Mac/Windows users seem to be slightly (possibly accidentally) insulated from this, as profile data is stored in harder-to-reach-places. Accessing the sqlite database directly reveals that even with a ‘master password’ configured, Chrome still writes all of your credentials to the disk in plaintext. While the Chrome security team’s arguments are absolutely valid, the anti-pattern of password (in)security can lead to some catastrophic accidental exposure — which could be easily mitigated if conventional application security concepts applied to Chrome.
I’m going to step off the soapbox and simply say: we can do way better. Implement a dumb crypto function, throw in a trivial ‘master password’ implementation that actually encrypts what’s written to the disk, rename the file to something less conspicuous — do something so that gaining access to someone’s secret credentials is at least slightly harder than opening up a file called ‘Login Data’.