Master password can leak to websites

[L-Henke]

Reusing the password form field for the master password is a bad idea which can be seen in many tools like this. Since websites can pull the content of the password form field on every key press, a malicious website can use this to retrieve the master password. No additional secret is used In the original mode of password hasher, so that a leaked master password can be used to create the password for every other page.

An example for this behavior is the create account page on Github. After every key press the content of the form field is send to the server.

The original password hasher addon used an own popup for entering the master password, which prevents this extremely simple leak.

[simu]

Thanks for the feedback!

I'm aware of this flaw, which has carried over from the Chrome version. I currently don't have time to figure out how to implement general improvements to the extension. In particular, if you know an easy way of doing something popup-like in the webextensions framework, I'm all ears.

[mdrie]

@simu I had a look at it. I think that jQuery UI dialog would be a good idea, since you already use jQuery qtip. I tried it, but the custom minimal jquery-ui file you have in lib/ does not contain dialog. Since I do not know, which jquery-ui features you selected when creating the custom file, I would have to put a second one in there - most likely with a lot of duplicate content. Could you please update the jquery-ui file including the dialog, and/or document which query-ui you need? Thanks!

[simu]

@mdrie: As far as I can see from a quick look, the only feature needed from jquery-ui is Autocomplete.

As I did not write this extension from scratch and haven't had to touch the popup code to get the extension to work on Firefox, I wasn't even consciously aware that jquery-ui is used in the extension.

[mdrie]

Thinking about it... ... when putting the dialog to enter the master password into the pages DOM - as I planned it, the page itself can in theory access it. ... maybe do that from the background-scripts? Does jquery-ui work there?

[simu]

I don't think you can easily show a popup from the background script, IIRC. What might work is to put the master password field into the settings popup which you get when clicking on the '#' button in the topbar.

[mvo5]

This issue is bothering me quite a bit and so much as I love having passhash back its a show-stopper for me. I hope to be able to look into this more (but time is limited). As a start I created a minimal example how implementing a dialog similar to the old passhash was doing it would work in the new web-extension world: https://github.com/mvo5/webextension-dialog-example.

I think we also need some simple mechanism that ensures that such dialog comes from our extension and not from a malicious webpage that is faking the dialog. One simple way could be to have a user-set greeting (via the options page) in the dialog. A website cannot know this so a (security conscious) can easily spot if it is a spoof or not.

[jklmnn]

For ensuring authenticity a token could be used that is generated on installing the addon and browser instance unique. It should be shown in the dialog. I think this hard to spoof (unless the token is known or to short).

[simu]

Re: fake dialog, should not be a big deal, as the window title would not say moz-extension://[the extensions internal UUID] for a fake dialog.

Personally, I'm more in favour of moving the password entry and hashing to the popup button context, which is impossible to fake for websites, and just communicate the request for opening the popup button and the hash word between the content script and the popup button context.

I'm assuming this is just for testing purposes, but having the popup open when clicking on any textbox is super annoying.

[mvo5]

@simu This is just for testing purpose :) I wanted to build something minimal to see how the communication might work, my example is not useful for anything other than as a demo. As for popup/dialog I don't mind either way.

[simu]

@mvo5 I assumed as much :)

I'm currently working on #4 because, imho, that's the more pressing issue, but I'm going to look into this next, in conjunction with enabling all the choices for hash generation to address #11.

edit: also, having webextensions API storage instead of regular localStorage means that we can access the settings directly from the popup context making everything much easier :)

[mdrie]

Thanks for looking into this. I did not get anywhere fast enough and ran out of time.

[phreaknerd]

Give this a try: I've built it from scratch with popup support. https://addons.mozilla.org/en-US/firefox/addon/password-hasher-ng/ Maybe you can snatch some code there: https://github.com/phreaknerd/passhash-ng

Feedback very much appreciated.