clock menu more-arrow no yes

Filed under:

Chrome stores some sensitive data in plaintext, but Google says it's supposed to

New, 141 comments

A flaw in Google's Chrome browser could find it storing personal details that users don't expect to be recorded. The security firm Identity Finder reports that Chrome will sometimes store data that's been entered into secure websites, and that it'll store that data in plaintext so that anyone can read it. The details are kept inside one of Chrome's cache files buried within the file system, but anyone could see it if they had access to a Chrome user's computer and knew where to look. It's unclear exactly when Chrome chooses to store what would seemingly be secure data, but Google tells us that it realizes this can happen and that Chrome generally doesn't protect against attackers who already have access to a user's computer.

That security model has gotten Google into hot water before: over the summer, Chrome was criticized for storing saved passwords in its preferences menu where anyone can easily view them. Like that issue, this new one has actually been around for a while and isn't a major problem unless someone has physical access to a Chrome user's computer. But while this issue may be a lesser worry because the data is harder to access, Identity Firm did find sensitive information that users may not have wanted lying around in the first place. The data can be deleted by clearing Chrome's cache, though the browser will then begin to collect additional data once again.

In a statement, Google suggests that local data is best secured by using system-wide encryption tools. The company's full statement is below:

Chrome is the most secure browser and offers you control over how it uses and stores data. Chrome asks for permission before storing sensitive information like credit card details, and you don’t have to save anything if you don’t want to. Furthermore data stored locally by Chrome will be encrypted, if supported by the underlying operating system. For example, Chrome OS encrypts all data stored locally by default. We recommend people use the security measures built into their operating system of choice.