Security researchers have discovered a vulnerability in Chromium-based web browsers that will not be closed.
Imagine there was a worrying vulnerability in the world’s most popular browser, and nobody was doing anything about it. Don’t you think? But that’s exactly what happened with Google Chrome.
Security researchers of the ethical hacking group CyberArks Labs already discovered a vulnerability in the Chrome browser a year ago, which practically serves passwords to potential attackers on a silver platter. Because the portal to the worldwide Internet stores entered passwords as well as cookies with your data as plain text in the main memory, which can be read there with the help of various tools.
R.I.P. Internet Explorer
Why the browser is being buried today
But not only Chrome is said to be affected by the vulnerability
CyberArks Labs informed Google about the vulnerability more than a year ago. However, the information has only now been published, presumably in order not to additionally play into the hands of potential attackers.
Google makes it easy
An answer from Google can be found in Chromium Security FAQ. In summary, it states that there is simply no way to defend yourself against users with malicious intentions once they have gained access to a system. According to Google, such an attacker can change executable and DLL files as well as environment variables and configuration files at will. There is therefore little that can be done against such attacks – both on the part of Google and the user.
The company still has a few tips in store: After all, you can reduce the amount of information that an attacker can capture. To do this, you should disable auto-completion and saving passwords in Chrome settings. However, it remains questionable how helpful this is with a view to this particular vulnerability.
Google apparently does not see itself as responsible. However, both CyberArks Labs and Günther Born have different opinions. Although Google is basically right with its argument, it is irresponsible to store passwords as plain text in the main memory. Incidentally, in the future, passwords could be a thing of the past altogether. Read more about this in the following article:
Revolution in logging in
New technology heralds the end of passwords
However, Google seems to have made some minor adjustments: CyberArks Labs failed to extract cookie data about a month after the Internet giant was informed of the vulnerability. At least not right away and only after modifying the software used for this. After another two months, however, that also stopped working. Günther Born, however, attests that it is still possible to read passwords as plain text from the main memory.
Apropos: Can you guess which ten passwords are the most popular in Europey – at least as of December 2016? Although not much will have changed:
How big is the danger in the end?
That’s difficult to estimate. Google may be right in that a potential attacker would need access to the system to extract cookie data and passwords from memory anyway. If you like, it’s too late anyway. On the other hand, in our opinion, no stone should be left unturned to make life as difficult as possible for attackers.
Otherwise it would be as if, for example, you didn’t even have to close a safe because as soon as someone got through the front door, they could crack it anyway.
how do you see it? Should Google take action and close this vulnerability once and for all? Or maybe the company is right and it doesn’t make any sense at all? Write it to us in the comments!
