[SECURITY] Fix for credential leak vector #231 (fixes #230)

- Credentials are now discarded immediately as soon as the tab has loaded - Credentials are not supplied to any model login that occurs after the tab has loaded - If the domain requesting credentials is not the same as the domain that was launched, the user will be asked if they really want this.
browserpass · Mar 22, 2018 · e32c41f · e32c41f
1 parent 67c2ac5
commit e32c41f
Showing 1 changed file with 69 additions and 33 deletions.
diff --git a/chrome/background.js b/chrome/background.js
@@ -99,46 +99,82 @@ function onMessage(request, sender, sendResponse) {
   // spawn a new tab with pre-provided credentials
   if (request.action == "launch") {
     chrome.tabs.create({ url: request.url }, function(tab) {
+      var tabLoaded = false;
       var authAttempted = false;
-      chrome.webRequest.onAuthRequired.addListener(
-        function authListener(requestDetails) {
-          // only supply credentials if this is the first time for this tab
-          if (authAttempted) {
+
+      // listener function for authentication interception
+      function authListener(requestDetails) {
+        // only supply credentials if this is the first time for this tab, and the tab is not loaded
+        if (authAttempted) {
+          return {};
+        }
+        authAttempted = true;
+
+        // don't supply credentials for loaded tabs
+        if (tabLoaded) {
+          return {};
+        }
+
+        // ask the user before sending credentials to a different domain
+        var launchHost = request.url.match(/:\/\/([^\/]+)/)[1];
+        if (launchHost !== requestDetails.challenger.host) {
+          var message =
+            "You are about to send login credentials to a domain that is different than " +
+            "the one you lauched from the browserpass extension. Do you wish to proceed?\n\n" +
+            "Launched URL: " +
+            request.url +
+            "\n" +
+            "Authentication URL: " +
+            requestDetails.url;
+          if (!confirm(message)) {
+            return {};
+          }
+        }
+
+        // ask the user before sending credentials over an insecure connection
+        if (!requestDetails.url.match(/^https:/i)) {
+          var message =
+            "You are about to send login credentials via an insecure connection!\n\n" +
+            "Are you sure you want to do this? If there is an attacker watching your " +
+            "network traffic, they may be able to see your username and password.\n\n" +
+            "URL: " +
+            requestDetails.url;
+          if (!confirm(message)) {
             return {};
           }
-          authAttempted = true;
-          // remove event listeners once tab loading is complete
-          chrome.tabs.onUpdated.addListener(function statusListener(
-            tabId,
-            info
-          ) {
-            if (info.status === "complete") {
-              chrome.tabs.onUpdated.removeListener(statusListener);
-              chrome.webRequest.onAuthRequired.removeListener(authListener);
-            }
-          });
-          // ask the user before sending credentials over an insecure connection
-          if (!requestDetails.url.match(/^https:/i)) {
-            var message =
-              "You are about to send login credentials via an insecure connection!\n\n" +
-              "Are you sure you want to do this? If there is an attacker watching your " +
-              "network traffic, they may be able to see your username and password.\n\n" +
-              "URL: " +
-              requestDetails.url;
-            if (!confirm(message)) {
-              return {};
-            }
+        }
+
+        // supply credentials
+        return {
+          authCredentials: {
+            username: request.username,
+            password: request.password
           }
-          return {
-            authCredentials: {
-              username: request.username,
-              password: request.password
-            }
-          };
-        },
+        };
+      }
+
+      // intercept requests for authentication
+      chrome.webRequest.onAuthRequired.addListener(
+        authListener,
         { urls: ["*://*/*"], tabId: tab.id },
         ["blocking"]
       );
+
+      // notice when the tab has been loaded
+      chrome.tabs.onUpdated.addListener(function tabCompleteListener(
+        tabId,
+        info
+      ) {
+        if (tabId == tab.id && info.status == "complete") {
+          // remove listeners
+          chrome.tabs.onUpdated.removeListener(tabCompleteListener);
+          chrome.webRequest.onAuthRequired.removeListener(authListener);
+
+          // mark tab as loaded & wipe credentials
+          tabLoaded = true;
+          request.username = request.password = null;
+        }
+      });
     });
   }
 }