-
-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A naive question about security #2132
Comments
Maybe we could create a wiki page or a document where it describes how the extension prevents retrieving any credentials behind the user's back. KeePassXC side:
Extension side:
|
Thank you for your detailed answer! Yes, I think it would be good to at least make mentions of these security measures either in the readme, or in the wiki with a link from the readme.
So if I understand correctly, all entries where, on the login from, I just have to click on the KeePassXC logo to input credentials without any other confirmation can be sent? Are these the ones where I check the "Remember" box in the modal below (pardon my French)? Just to be sure to understand the list of security measures you list on "Extension side", could you tell me if the following scenario is possible and follow and correct my reasoning?
If I understand correctly,
Let's assume that the malicious website is accessible from a URL matching an entry in the DB: either because the user saved an illegitimate URL in a DB entry, because a legitimate website has been compromised and now serves malicious scripts, or because the attacker managed to redirect the user's traffic for a legitimate website to an attacker-controlled host in HTTP, or in HTTPS and the user ignored the browser warning on the illegitimate certificate (yes, it is a lot).
|
Another protection mechanism is that the extension doesn't just accept any old url to retrieve credentials from. It gets a signal from the webpage (or iframe) that credentials are requested and then uses the actual url of that webpage (or iframe) to narrow the request to KeePassXC. In other words, a malicious website can't just cycle through a bunch of urls trying to gather credentials from KeePassXC. |
@droidmonkey Good to know! Thank you for this precision. My questions and hypothetical scenario in my message above stand, about the possibility for a malicious website posing for a legitimate one to obtain the credentials for this particular website. |
Nothing we can do to protect you from this situation. There are security layers in place for a reason, once you breach the trust layer (valid certificate) then all bets are off.
In this case retrieving the credentials you previous stored/gave to the illegitimate website is rather moot.
In this case the website has been majorly breached or has not enabled Cross-Site-Script protection. There isn't much KeePassXC can do, at all, to protect you from this scenario. |
In theory every malicious browser extension there is can steal your credentials after you have filled them to the web page. There's nothing that we can do to prevent that. The only prevention is that any other script/extension doesn't have access to the data that is shown to you by the extension. |
Ok, so to sum it up, if we put aside situations where the user makes a mistake (by saving a malicious URL in their DB or bypassing a certificate warning in their browser): there is no way that a website can steal credentials from a KeePassXC database using the browser extension, except if it is a legitimate website that has been breached and now embeds malicious scripts. Am I correct? |
Yes. Problems arise if the website is breached, user has some malware or malicious browser extensions (including ours). Misusing the extension itself is quite difficult. |
There's a cool permission trick you can use in Google Chrome. You can right-click the extension icon and change the extension's permissions so that it cannot access the page unless you first click the icon. With this in place you don't get any autofill capabilities on any websites until you first opt-in by clicking the icon. This should dramatically reduce the attack surface since the extension won't be able to talk to the website unless you allow it to, and then for only a short period of time (usually until you've submitted the login form). I don't know if this is possible in Firefox. |
Hello,
I just recently started using the KeePassXC browser extension. It works great, but I'm wondering something about security. What's preventing a malicious website to query the extension to obtain database entries? What are the mechanisms in place to prevent the extension from being arbitrarily queried for credentials and coerced into fetching and giving to the website?
If the answer to this question does exists already, could you point me to it (I couldn't find it), and maybe it could be displayed more prominently somewhere in the docs? Maybe even right in the Readme file, with a "Security" section for example. It could help regular users understand and use the extension, as well as security-conscious and tech-savvy users.
Thank you for your answer 🙂
The text was updated successfully, but these errors were encountered: