Skip to content

Security FAQs

Jump to bottom
DANΞ edited this page Feb 2, 2021 · 5 revisions

Does this send my passwords somewhere?

Absolutely not - passwords are securely hashed locally, and those hashes are never transmitted. Hashes from passwords entered on enterprise domains are stored locally using Chrome's web storage, while passwords from non-enterprise domains are never stored. The only external communication this extension has is for event metadata (username, external domain, referrer) so an incident response team can investigate and respond accordingly.

Is this saving my passwords to disk? That's bad!

PhishCatch saves a one-way hash of enterprise (not personal) password(s) to disk. Specifically, it saves a salted PBKDF2-HMAC-SHA512 hash generated with 100,000 iterations. This hash would take an attacker who managed to pull it off an endpoint an impractically large number of years to bruteforce.

Is web storage a safe place to put password hashes? What about XSS?

PhishCatch uses Chrome storage to save your password to disk. This storage is not accessible to websites or other extensions. The PhishCatch dev team does not believe that PhishCatch's code contains any browser-originated vulnerabilities (such as cross-site scripting) that would allow attackers access to stored hashes. Furthermore, were an attacker able to gain access to your computer's disk directly, we believe it would be technically infeasible to reverse the hashes.

Has this been audited by a third party?

SpecterOps performed a code review of the PhishCatch source code in November 2020. We intend to perform periodic re-assessments and release unredacted security reports as long as we maintain this project.

Does this let (my IT department | the PhishCatch dev team | Big Brother) see my personal passwords?

PhishCatch will not enable anyone, whether internal or external to your organization, additional ability to read your passwords. As mentioned above, enterprise passwords will only be stored in a highly protected one-way hash form and will not be accessible in plaintext to anyone at any time. Personal passwords are hashed on the fly and are only briefly stored in memory (not cached or otherwise written to disk).

That being said, it's important to understand that the best way to keep your personal information completely private is to use company hardware exclusively for work purposes.

Does this give Palantir the ability to see my passwords or access my accounts?

No.

Clone this wiki locally