Google released Google Chrome 18.104.22.168 on May 22, 2009. However, as far as we see this latest Beta version still lacks a fundamental feature to protect users from the risks posed by its saved password option.
Password saving is a default setting in Chrome. Chrome users are offered to save their passwords so that they do not have to type the passwords on their subsequent website accesses.
However, Chrome does not provide a security solution for the saved passwords. This means that anyone using the authorized user’s computer is able to view all the passwords saved on it.
Unfortunately, being unaware of this risk, users may let other people use their computers for mail checking or web browsing. Consequently, a bad guy is capable of harvesting all the passwords saved on Chrome within some seconds.
For Google Chrome Team
A master password which is once applied for Firefox 3 is a simple security solution in this case. Bkis recommends Google apply this mechanism to protect their users from password disclosure vulnerability.
Master password on Firefox
For Google Chrome users
Do not save your password on Google Chrome if you often share your computer with other people.
Right after Google Chrome’s launch on September, 2009, Bkis discovered a Buffer Overflow Vulnerability in its SaveAs Function, the first Critical Chrome Vulnerability permitting hacker to perform a remote code execution attack and take complete control of the affected system: http://blog.bkis.com/?p=119
By Nguyen Minh Duc / Manager - Application Security Department, Bkis