Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Editing html buttons lets you re-enable them and bypass master password #51

Closed
GreatestFool opened this issue Feb 4, 2021 · 4 comments
Closed

[bug] Editing html buttons lets you re-enable them and bypass master password #51

GreatestFool opened this issue Feb 4, 2021 · 4 comments

Comments

@GreatestFool
Copy link

If you edit the DOM element of the buttons in the settings, you can bypass the master password. E.g. json import is disabled (because importing overwrites the master password if hash isn't specified) because you've set a master password, if you edit the DOM element and remove disabled="" or change it to enabled="", it allows you to import a json because there's no security check.

image

Presumably, this can be bypassed by generating a security token once the master password has been inputted and accepted that lasts for the entire session; as long as the page is open or for a certain amount of time. This would be nice if it was configurable.
@ray-lothian
Copy link
Owner

If a user knows how to inspect the options page and alter attributes, then I assume, inspecting the background page is not harder. If so, this user can disable the navigation observer altogether. So although this is a valid issue, there is no point in fixing it

@GreatestFool
Copy link
Author

And by not fixing it, there is no point in using this for anything more than a gimmick.

You don't ignore a fix to a problem because there is someone who knows how to bypass it, there is always someone that knows how to bypass it or has the skills to figure out how, you do it to make it harder. Most users, even those that can inspect elements will give up if it requires anything more than some two minutes to bypass. Likewise, this is for the actual settings page, which is why it is more important. Just opening the DOM explorer is not an advanced skill, it's bottom barrel -not even at a script kiddie level-, you are over-evaluating the skill it takes to open it.

If you have the necessary skills to disable the navigation observer, then you can assume they are more capable than being able to inspect an element and have the amazingly, awe-inspiring, capacity for thought to change the thing that says disabled to enabled or remove it outright.

@ray-lothian
Copy link
Owner

As of the next release, the extension will ask and double-check the master password before performing important actions on the options page.

@GreatestFool
Copy link
Author

Thank you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GreatestFool @ray-lothian