search

47ng / local-state-sync

Persist & sync encrypted app state between browser tabs and pages
MIT License
3 stars 0 forks source link

Security Concerns #1

Open Damar225 opened 1 year ago

Damar225 commented 1 year ago

Hello, First I want to thank you for your effort to the open source community.

I saw in the doc you said that:

"It will not be secure against an attacker that inspects the source code of the page (eg: browser extensions) to find the key and can run arbitrary scripts on your origin to decrypt the stored state."

Can you please give some light on this statement, or give us a real world example on how an attacker could reach the private key?

Thank you.

franky47 commented 1 year ago

There are two parts to such an attack/threat model:

Recovery of the secret

Since the key is static, it may be extracted by inspecting the JavaScript bundle that is shipped to the browser. While client-side code has no such capability, browser extensions can inspect (and modify) network request payloads. So a malicious extension could extract the key.

Arbitrary code execution

We've already covered a malicious browser extension, that would have access to the origin local storage and the key.

Another would be arbitrary code execution from a third party. Since modern applications include hundreds (if not thousands) of dependencies, some of which get bundled in the final code that is executed on the client, it is possible that some untrusted code may access the local storage. To that, we can add unvetted runtime inclusion of third party code (eg: Google Tag Manager).

Coupled with the first part, it would allow them to use an instance of local-state-sync to receive a copy of the secret state (or perform the same operations to decrypt it, but why bother when there's already code to do it for you).

As a side note, this package was an experiment, I'm not sure it's actually possible to protect any kind of secret in the browser until browser APIs offer an interface to the system's keychain. The use of hardware security keys (eg: Yubikey) or enforcing to use modern authentication systems (like WebAuthn / passkeys) may help provide a solution. This is why I'm not publishing v1.0.0 in this state (there will need to be many breaking changes until an eventual v1).

Damar225 commented 1 year ago

Thanks, this is very helpful.