keepassxreboot / keepassxc-browser

KeePassXC Browser Extension
GNU General Public License v3.0
1.78k stars 188 forks source link

A naive question about security #2132

Closed benji1000 closed 2 months ago

benji1000 commented 9 months ago

Hello,

I just recently started using the KeePassXC browser extension. It works great, but I'm wondering something about security. What's preventing a malicious website to query the extension to obtain database entries? What are the mechanisms in place to prevent the extension from being arbitrarily queried for credentials and coerced into fetching and giving to the website?

If the answer to this question does exists already, could you point me to it (I couldn't find it), and maybe it could be displayed more prominently somewhere in the docs? Maybe even right in the Readme file, with a "Security" section for example. It could help regular users understand and use the extension, as well as security-conscious and tech-savvy users.

Thank you for your answer 🙂

varjolintu commented 9 months ago

Maybe we could create a wiki page or a document where it describes how the extension prevents retrieving any credentials behind the user's back. Here's a short list.

KeePassXC side:

Extension side:

benji1000 commented 9 months ago

Thank you for your detailed answer! Yes, I think it would be good to at least make mentions of these security measures either in the readme, or in the wiki with a link from the readme.

no credentials are sent out without user knowing it. Unless the user has remembered a setting for an entry that this confirmation is not asked

So if I understand correctly, all entries where, on the login from, I just have to click on the KeePassXC logo to input credentials without any other confirmation can be sent? Are these the ones where I check the "Remember" box in the modal below (pardon my French)?

2024-03-05_12-17

Just to be sure to understand the list of security measures you list on "Extension side", could you tell me if the following scenario is possible and follow and correct my reasoning?

The user browses to a malicious website. This website contains input fields that are acceptable for the extension to not ignore. The matching credentials are retrieved from the connected DB and filled in the fields. A script on the website gathers the filled data and exfiltrate them before any form submit, or by forcing it.

If I understand correctly,

Let's assume that the malicious website is accessible from a URL matching an entry in the DB: either because the user saved an illegitimate URL in a DB entry, because a legitimate website has been compromised and now serves malicious scripts, or because the attacker managed to redirect the user's traffic for a legitimate website to an attacker-controlled host in HTTP, or in HTTPS and the user ignored the browser warning on the illegitimate certificate (yes, it is a lot).

droidmonkey commented 9 months ago

Another protection mechanism is that the extension doesn't just accept any old url to retrieve credentials from. It gets a signal from the webpage (or iframe) that credentials are requested and then uses the actual url of that webpage (or iframe) to narrow the request to KeePassXC. In other words, a malicious website can't just cycle through a bunch of urls trying to gather credentials from KeePassXC.

benji1000 commented 9 months ago

@droidmonkey Good to know! Thank you for this precision.

My questions and hypothetical scenario in my message above stand, about the possibility for a malicious website posing for a legitimate one to obtain the credentials for this particular website.

droidmonkey commented 9 months ago

the user ignored the browser warning on the illegitimate certificate

Nothing we can do to protect you from this situation. There are security layers in place for a reason, once you breach the trust layer (valid certificate) then all bets are off.

because the user saved an illegitimate URL in a DB entry

In this case retrieving the credentials you previous stored/gave to the illegitimate website is rather moot.

can they force a submit of the form containing the input fields to a malicious page (either because the entire website is malicious, or by dynamically changing the target of the form)

In this case the website has been majorly breached or has not enabled Cross-Site-Script protection. There isn't much KeePassXC can do, at all, to protect you from this scenario.

varjolintu commented 9 months ago

Credentials for the URL are found and filled in the input fields which are acceptable for the extension to fill. With the Shadow DOM, scripts served by the malicious website do not have access to the data filled on the page by the extension, so they cannot silently exfiltrate it. But, can they force a submit of the form containing the input fields to a malicious page (either because the entire website is malicious, or by dynamically changing the target of the form)?

In theory every malicious browser extension there is can steal your credentials after you have filled them to the web page. There's nothing that we can do to prevent that. The only prevention is that any other script/extension doesn't have access to the data that is shown to you by the extension.

benji1000 commented 9 months ago

Ok, so to sum it up, if we put aside situations where the user makes a mistake (by saving a malicious URL in their DB or bypassing a certificate warning in their browser): there is no way that a website can steal credentials from a KeePassXC database using the browser extension, except if it is a legitimate website that has been breached and now embeds malicious scripts. Am I correct?

varjolintu commented 9 months ago

Ok, so to sum it up, if we put aside situations where the user makes a mistake (by saving a malicious URL in their DB or bypassing a certificate warning in their browser): there is no way that a website can steal credentials from a KeePassXC database using the browser extension, except if it is a legitimate website that has been breached and now embeds malicious scripts. Am I correct?

Yes. Problems arise if the website is breached, user has some malware or malicious browser extensions (including ours). Misusing the extension itself is quite difficult.

stefansundin commented 8 months ago

There's a cool permission trick you can use in Google Chrome. You can right-click the extension icon and change the extension's permissions so that it cannot access the page unless you first click the icon.

Screenshot 2024-03-18 at 20 21 26

With this in place you don't get any autofill capabilities on any websites until you first opt-in by clicking the icon. This should dramatically reduce the attack surface since the extension won't be able to talk to the website unless you allow it to, and then for only a short period of time (usually until you've submitted the login form).

I don't know if this is possible in Firefox.