The security flaw in the Chrome browser was uncovered by Web designer Elliot Kember when he went to transfer bookmarks from his Safari browser to Chrome on his Apple computer.
In doing so, he discovered importing bookmarks into Chrome automatically defaults to also bringing over your saved password.
A setting option to disable the password import doesn't work on a Mac, he said.
Google has confirmed automatic syncing of passwords from Safari browsers was a bug in the Mac version of Chrome and says it will have a fix soon.
"Thanks to our users, who discovered a bug in Chrome's import interface, which improperly represents how passwords are handled upon import from other browsers," Google said in a statement provided to ABC News. "We developed a fix to better represent how passwords are handled across platforms, which will roll out to all users soon."
However, Kember said, that fix won't solve another problem; if you do import those passwords to Chrome they, and any other passwords you have saved in the browser, are completely unprotected.
Typing chrome://settings/passwords in the Chrome address bar reveals saved passwords and user names for the websites you visit, he said.
"There's no master password, no security, not even a prompt that 'these passwords are visible,'" Kember wrote on his blog, noting anyone with access to your computer could see the saved passwords.
In response, Google Head of Chrome Security Justin Schuh explained Google's choice to not require a master password.
"We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security and encourage risky behavior," Schuh wrote. "We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because, in effect, that's really what they get."