What is there to prove? The documentation *literally* says it is plain text.
Also: Any attacker can just copy the entire browser profile to another machine and then access the passwords. So he does not have to care about the implementation details of the password storage at all. On the other side, normal Chrome/Chromium (without Snap and this command line argument) is using Gnome Keyring to protect the passwords. In that case, the attacker would need the login password or a equivalent secret from PAM and friends. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1996267 Title: [snap] Doesn't store encrypted passwords unless interface is connected Status in chromium-browser package in Ubuntu: Confirmed Bug description: In the Snap package of Chromium, Chromium is not protecting passwords with gnome-keyring (or KWallet). As a result, copying the Chromium profile directory from the snap directory gives access to all stored passwords. This is a HIGH security risk. Regular users who are used to storing their passwords in browsers are probably unaware of this. Note that Chromium is started with the command line option “--password-store=basic”. This hack should never have been released to the public. The Chromium documentation states: > --password-store=basic (to use the plain text store) https://chromium.googlesource.com/chromium/src/+/master/docs/linux/password_storage.md To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1996267/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
