Big security issue with chrome?


#1

Hello, ubuntu 16.04.5 user here.

Today I downloaded brave (apt way) and started using it, I imported my data from my default chrome settings (history, bookmarks, passwords).

The process was smooth, what I find concerning is how brave is capable of importing all my passwords from chrome, I know chrome is not very safe about saving passwords, but leaving any external app reading all my passwords with a single click - not asking for additional permissions or an extra password (like firefox) makes me uncomfortable.

IMHO that means that passwords must be saved somewhere in my chrome profile unencrypted (or encrypted in an easily known way) - and that means that any program that I install can potentially read all my passwords without my knowledge, of course in the case of brave I pushed the import button, but I guess any other program could potentially read all my passwords and send them out without even clicking a button.

WDYT?

I think that’s a big failure of chrome, does brave have the same issue being based in chromium?
Is this a big issue, or I’m just being paranoid?

Regards,

Carlos Ruiz


#2

Pretty much every web browsers store your saved passwords unprotected on disk. Including Brave (which is, after all, based on Chrome). The situation is a little better on macOS where Safari uses the built-in protected Keychain system to great effect.

Firefox has an option to set a Master Password. This will encrypt your passwords, and you’ll be required to enter the password when you start Firefox to get to unlock access to your passwords.

You can use a third-party password manager like Bitwarden or LastPass (both are available in Brave) to add additional protection.


#3

Thanks for the advice @2da, I deleted all my chrome and brave passwords, and will give a try to Bitwarden.


#4

Regarding @CarlosRuiz main statement above I’d like to get a more definite answer to this in relation to Brave-Core, no offence @2da because I don’t think it is saved unprotected.

Carlos here’s a couple of current issues open related to this and further conversation on the matter:



#5

Thanks @Numpty - yes, I think definitely a master encryption pass (as firefox) is a lot safer than the current approach from chrom* family.

I added my +1 in the provided github link.


#6

Link this topics there with the +1, I also want a reply from them regarding you initial statement in relation to Brave-Core, if that’s alright.

Brave-Core is what they’re transitioning to by the way, making Brave fully Chromium based rather than half Chromium half Moun/Electron, naturally it will get rid of the many issues and make it more efficient in the long run.

A little word of advice as well Carlos, maintain a backup of your imports at least until they switch to Brave-Browser/Brave-Core, they say the transition from this current version to the new version would be seamless but precaution is best.