Reason why interesting:
This article is about an attack on Chrome Extensions. In this case 1Password. Since Passbolt is also used as an extension, I ask myself the question to what extent it is or can be hardened against this type of attack.
1 Like
Hello @txt,
Unfortunately this is not new. Malicious extensions is something that we consider outside of the threat model, e.g. not a solvable problem on our side. Depending on the permissions given to a malicious extension it is very hard to defend against. One can try to build behavioral detection mechanism, like the solution sqrx themselves are selling. The easiest in my opinion is to make sure you’re only installing vetted extensions, especially if they ask for “read all data on all websites” permission.
On chrome team side however, there is probably some work they could do to improve the situation: “We also recommended Chrome to ban abrupt extension icon and HTML changes” seems like a reasonable request. The utility of chrome.managementAPI also needs to be looked at, like an extension should probably not be allowed to control other extensions unless a relation is established in the manifest.
My 2 cents, cheers,
2 Likes
Thank you for the classification.
Does the self-selected colored token provide an extra level of security or is it just as easy for a malicious extension to render it as the original extension?
I would say in theory yes, as the security token cannot be known to another extension, as to my knowledge another extension would not be able to insert content scripts in the iframe that is controlled by another extension. Unless you control both extensions that is.
That being said, the security token was introduced mostly to prevent websites from impersonating the extension. It was not designed to prevent against malicious extensions. An malicious extensions can for example extract credentials without access to the private key and passphrase, by reading them when they are inserted in the page for example. Or the malicious extension manages to trick the user into importing the key and then entering the passphrase.
Bottom line is we consider malicious extensions a similar scenario than having a keylogger or malware on the client. The current design of passbolt may slow down a malicious extension, but not protect fully against them.
2 Likes