I've read through the documentation here which warns about the danger of storing secure information in chrome.storage.local since it is unencrypted.
For my application, the extension generates a passphrase for the user locally using a Javascript library packaged with the extension. That passphrase is then stored in chrome.storage.local and is never passed to a remote server via the extension. I understand there are security implications because this is unencrypted and the application is still under development. The purpose of this post is to discover the best security scheme possible.
The specific questions are...
What are the methods (attack vectors) one can employ to access chrome.storage.local outside of the extension itself?
Besides the risk of the client running the extension being compromised by a malicious script or application locally, is there a risk of a remote attack?
Thanks in advance for your help.
On the downside, localStorage is potentially vulnerable to cross-site scripting (XSS) attacks. If an attacker can inject malicious JavaScript into a webpage, they can steal an access token in localStorage. Also, unlike cookies, localStorage doesn't provide secure attributes that you can set to block attacks.
While most password managers work online, local storage is an even more secure option that may also be more convenient in some cases. With information kept only on a single device, there's no way for anyone to intercept your information online.
If an attacker can run JavaScript on your website, they can retrieve all the data you've stored in local storage and send it off to their own domain. This means anything sensitive you've got in local storage (like a user's session data) can be compromised.
No. localStorage is accessible by any webpage, and if you have the key, you can change whatever data you want. That being said, if you can devise a way to safely encrypt the keys, it doesn't matter how you transfer the data, if you can contain the data within a closure, then the data is (somewhat) safe.
Anyone with physical access can read the contents of the chrome.storage.local, however by design there is no way for another extension to access the data from your extension, or for a malicious site to directly access the data.
It is not impossible though - there could be some zero-day vulnerability that allows this to occur.
There is always some risk of remote attack that results in control of the device. Once this occurs, the same answer as above applies, i.e. someone with control of the device can read the local storage.
Its worth noting that Chromebooks have better protection against the above in that the underlying device storage may in fact be encrypted, and the attack surface for gaining direct access to that storage is very small. However, other devices do not have these protections.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With