Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security implications of storing client-side generated passphrase in chrome.storage.local

I've read through the documentation here which warns about the danger of storing secure information in chrome.storage.local since it is unencrypted.

For my application, the extension generates a passphrase for the user locally using a Javascript library packaged with the extension. That passphrase is then stored in chrome.storage.local and is never passed to a remote server via the extension. I understand there are security implications because this is unencrypted and the application is still under development. The purpose of this post is to discover the best security scheme possible.

The specific questions are...

  • What are the methods (attack vectors) one can employ to access chrome.storage.local outside of the extension itself?

  • Besides the risk of the client running the extension being compromised by a malicious script or application locally, is there a risk of a remote attack?

Thanks in advance for your help.

like image 993
loon3 Avatar asked Feb 16 '15 14:02

loon3


People also ask

Is Chrome local storage secure?

On the downside, localStorage is potentially vulnerable to cross-site scripting (XSS) attacks. If an attacker can inject malicious JavaScript into a webpage, they can steal an access token in localStorage. Also, unlike cookies, localStorage doesn't provide secure attributes that you can set to block attacks.

Is it safe to store passwords in local storage?

While most password managers work online, local storage is an even more secure option that may also be more convenient in some cases. With information kept only on a single device, there's no way for anyone to intercept your information online.

Is it safe to store user ID in local storage?

If an attacker can run JavaScript on your website, they can retrieve all the data you've stored in local storage and send it off to their own domain. This means anything sensitive you've got in local storage (like a user's session data) can be compromised.

Is browser localStorage encrypted?

No. localStorage is accessible by any webpage, and if you have the key, you can change whatever data you want. That being said, if you can devise a way to safely encrypt the keys, it doesn't matter how you transfer the data, if you can contain the data within a closure, then the data is (somewhat) safe.


1 Answers

Anyone with physical access can read the contents of the chrome.storage.local, however by design there is no way for another extension to access the data from your extension, or for a malicious site to directly access the data.

It is not impossible though - there could be some zero-day vulnerability that allows this to occur.

There is always some risk of remote attack that results in control of the device. Once this occurs, the same answer as above applies, i.e. someone with control of the device can read the local storage.

Its worth noting that Chromebooks have better protection against the above in that the underlying device storage may in fact be encrypted, and the attack surface for gaining direct access to that storage is very small. However, other devices do not have these protections.

like image 145
Steve Campbell Avatar answered Oct 02 '22 20:10

Steve Campbell