Google likes to talk a big game when it comes to security on Chrome OS, and it’s true that there isn’t as much to go wrong in Chrome. However, that doesn’t mean it’s perfect. In fact, Google failed to implement a rather simple security measure to protect your passwords from snooping. That could change in an upcoming Chrome OS release, though.
It turns out that Google’s Chrome OS doesn’t enforce any sort of authentication when viewing your saved passwords. If you’re using Chrome (or any other modern browser) on Windows or Mac OS, you can see how this is supposed to work. You open the browser settings, check your saved logins, and click to see the passwords. Windows prompts you for your Microsoft account details. On a Mac, it’s your Apple ID. In either case, it’s much more difficult for a third-party to snoop on your passwords.
Once you’re logged into a Chromebook, the entire user-accessible system is open to whoever is physically touching the computer. Chrome does have additional limitations at the system level that prevent many of the hacks we see on other platforms. Google keeps most system components locked down unless you activate the hidden developer mode. That means you can reset the entire system and restore your cloud data in a few minutes if something goes wrong. Still, your passwords are just there for anyone with hands to peruse.
A Google employee added a bug report to the Chromium project last month asking for an added layer of password security. The Chromium team replied several days ago to say the feature was in the works. You can even follow progress yourself via the open-source Chromium code. The developers are using the lock screen authentication framework for keeping passwords secure.
In the future, Chrome OS will pop up a login box when you try to reveal one of the saved passwords in the browser. You’ll have to enter your Google credentials in order to view those passwords. This change is still very early in the development process — it’s not even in the experimental Canary build yet. It still needs to filter down through the developer, beta, and finally stable channels before it’s an official feature. We’re looking at several months at least. In the meantime, don’t leave your logged-in Chromebook sitting around for someone to grab.