Critical security issue : Username and password are stored cleartext in storage.js

wallabag / wallabagger

Chrome / Firefox / Opera plugin for wallabag v2.

http://wallabag.github.io/wallabagger/

MIT License

364 stars 47 forks source link

Critical security issue : Username and password are stored cleartext in storage.js #151

Open TheCapsLock opened 5 years ago

TheCapsLock commented 5 years ago

in addition to #145, Wallabagger stores username and password clear text in storage.js

This looks a critical security issue to me.

TheCapsLock commented 5 years ago

I tried to remove password from storage.js, it seems to be required to get an api token when previous one has expired.

Simounet commented 5 years ago

I agree but I talked to the webextension guys from Mozilla and get this reply:

There's no non-cleartext way to store credentials with any extension API, similar to the situation with the password maanger in a browser.
you can use webcrypto to lightly encrypt the file on disk, but note that it will still be trivially decodable if the decoder knows what extension the file belongs to.
(I guess storage.local is planned to be migrated to a non-cleartext file, but it's still not cryptographicly secured)
(and in the end this loops around to the whole if a file isn't safe, why would anything running on your machine be safe etc.)

We need https://github.com/wallabag/wallabag/issues/2800 to be fixed and handle tokens instead of credentials. Sorry about that.

vdbm commented 5 years ago

CRXcavator is an automated Chrome extension security assessment tool, created by DuoSecurity (Cisco), that assigns risk scores to chrome extensions based on an objective set of criteria.

It points out one critical risk issue and one high risk issue for the Wallabagger 2 extension.

https://crxcavator.io/report/gbmgphmejlcoihgedabhgjdkcahacjlj/1.6.0

oleole39 commented 1 year ago

I see the credentials are currently (FF 114.0.1 + Wallabagger 1.16.0) stored in plaintext in storage.local using the webextension API. What is not clear to me is whether remote sites and/or other extensions with certain permissions can actually access this storage? Or is the actual threat limited to someone having access to the full storage database file (i.e. access to machine or to backup)?

Also, as long as #145 is not fixed (and as it doesn't seem to be currently worked on), could having an option not to save the username and password help and if so be considered? With that option enabled, everytime one would like to to save an article to Wallabager, a prompt asking for username & password would appear. Ideally it could open a page with a form whose URL could be matched by a password manager connector (for instance KeepassXC).