Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security concerns for using localStorage or chrome.storage inside Chrome Extensions

I am building a chrome extension that needs to persist user sensible data. I know that you can use HTML5 but it is vulnerable to XSS, and possibly other form of attacks. I recently found out about chrome.storage but the docs say:

Confidential user information should not be stored! The storage area isn't encrypted.

Now my question is:

  1. Is there a secure way to store sensitive user data (i.e. a private key) in the browser?
like image 932
fernandohur Avatar asked Nov 21 '13 19:11

fernandohur


1 Answers

The default content security policy pretty much protects you from XSS assuming you don't do anything really stupid. You could use some sort of a library to to encrypt local data and make users enter a passphrase to decrypt the data. The attack vectors at this point are more around malware on the computer and other people with physical access. Chrome extensions themselves are well protected from other sites.

Ultimately though, anything installed on the computer or having access to the computer has the potential to access the private info regardless of what you do. My recommendation would be make sure users are aware of how sensitive the data being stored is and that they need to maintain proper security precautions around getting access to the computer.

like image 107
abraham Avatar answered Sep 20 '22 16:09

abraham