Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Anyone With Local Access Can Steal All of Google Chrome’s Saved Passwords and More

Anyone With Local Access Can Steal All of Google Chrome’s Saved Passwords and More

1. Go to chrome://settings/manageProfile

2. Click on the Edit person or chrome://settings/people

3. Sign Out.

4. Click "Sign in to Chrome." and use another Gmail account.

5. Chrome notes that another user (was previously using Chrome and you choose between "This Wasn't Me" or "This Was Me"

6. Choose "This Was Me."; “Add my Bookmarks, History, Passwords, and other settings to the new Gmail account.”

7. Click continue.

8. Sign in with the Gmail account used earlier and browse to chrome://settings/?search=password

gmail log in as someone else.png

 

All of the other user's passwords, history, and bookmarks are now captured and available without ever knowing what their password was.  A simple fix to this “feature” would be to challenge a user for the original account password before allowing the merge.  

Security researchers reported this to Google and their response was “Yes, given unrestricted access to a user’s account, you can steal data from it; Status: WontFix”

When IoT Can literally Kill You: Network-connected Pumps Vulnerable to Hacking

When IoT Can literally Kill You: Network-connected Pumps Vulnerable to Hacking

Microsoft Disables Windows Updates on Systems Without Spectre/Meltdown-Compliant AV Software

Microsoft Disables Windows Updates on Systems Without Spectre/Meltdown-Compliant AV Software