The bug response was laughable "yes with unrestricted acess to an account you can steal data from it".
This makes it sound like "with enough time and patience anything is possible"
But the steps described aren't even what i would call a hack. You could do them by accident if you were trying to log in to your own account under someone elses computer using chrome, in less than a minute if you're quick. It requires no technical knowledge and can be done with time to spare during someone's bathroom break.
Here's the process in a nutshell:
1) logout of their account in chrome.
2) login to you're account
3) lie and say you were the previous per person
This isn't a hack. There is no hack! This is a very small step above the "honor system" as your security!
Given the number of people I've seen step away from their desks without locking their machines (in the tech industry, no less)...I don't think "hack relies on physical access to the machine wontfix" is an entirely reasonable response from the Chrome team.
Maybe they could make you enter the system password for this action too like they did with saved passwords (earlier, saved passwords were visible in plaintext but now you have to enter the system password to see them)
It's not at all a reasonable response. A small bit of malware could eliminate the need for physical intervention: programmatically logout, login with the thief's account to sync, then log that one out too.
The response smacks of an attitude that "once a machine is even a little compromised it's not our responsibility what happens. Physical access is a compromise, therefore we don't have to fix our own loop hole."
This is like a safe company saying, "Well, of course someone that breaks into your house can also open the safe by saying, I'm the owner out loud."
This is not a new phenomenon, though the ease of the exploit might be new. I remember a while ago you could go in SQLite and look at the file Firefox stored all the saved passwords in, for any user. That exploit was fixed, and this one likely will be as well. I agree with other commenters, the most disturbing thing about this is the blase attitude of the response.
Mmm. You still can, if there's no master password enabled. But that's a distinct issue from this. Here, you're going from a state that should be entirely safe ("signed out"), to retrieving all of the secrets that are held.
Because Firefox doesn't have sign-in and sign-out like Chrome does, the principle of least surprise kicks in.
When an attacker can gain access to your unlocked computer and have time to logout/login your browser, you should not expect anything on the desktop is safe. Personally I don't see this as a security bug.
They should at least have to go to an effort commensurate with installing a keylogger or something like that. Just navigating a few windows to get to see your passwords -- that's just wrong. Anything that has what's supposed to have a secure login shouldn't be exposing passwords like this.
You do not need any passwords to import all of it (Cookies/Passwords) if you are already logged in. Chrome uses Windows DPAPI to encrypt it on the disk, its automagically decrypted when logged in.
This "hack" takes all of a minute and provides access not to the data on the desktop, but to every website or web based login used, if the user relies on chrome for such things. This isn't "if a thief is physically in your data center you've already lost". This is "I went three doors down to the vending machine for a soda and Oh My God they got my bank account credit cards and all my social media"
But this is not an attacker this is anyone you don't need to compile dll
When you got one computer with several passwords to google accounts you can than sync them to your chrome browser and so on
you can steal millions of google accounts and sync it to one malicious account.
people probably doing it right now :(
I think.it's security issue I manged to "steal" my family google acount and their freinds with their permision
you can't beleive how many I got in few seconds.
so I reported as security issue....
or you could just import all of it with one small command line program without even popping GUI on the screen? Doable in 3 seconds with a pendrive. This is a non story, autor somehow thinks his own computer should fight him.
The thing is that even if you are logged out like most of the people every thing is saved in the default profile so when you logging in to chrome you just take all the passwords , think about college computers farm or public computers ....
This makes it sound like "with enough time and patience anything is possible"
But the steps described aren't even what i would call a hack. You could do them by accident if you were trying to log in to your own account under someone elses computer using chrome, in less than a minute if you're quick. It requires no technical knowledge and can be done with time to spare during someone's bathroom break.
Here's the process in a nutshell:
1) logout of their account in chrome.
2) login to you're account
3) lie and say you were the previous per person
This isn't a hack. There is no hack! This is a very small step above the "honor system" as your security!