-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] Editing html buttons lets you re-enable them and bypass master password #51
Comments
If a user knows how to inspect the options page and alter attributes, then I assume, inspecting the background page is not harder. If so, this user can disable the navigation observer altogether. So although this is a valid issue, there is no point in fixing it |
And by not fixing it, there is no point in using this for anything more than a gimmick. You don't ignore a fix to a problem because there is someone who knows how to bypass it, there is always someone that knows how to bypass it or has the skills to figure out how, you do it to make it harder. Most users, even those that can inspect elements will give up if it requires anything more than some two minutes to bypass. Likewise, this is for the actual settings page, which is why it is more important. Just opening the DOM explorer is not an advanced skill, it's bottom barrel -not even at a script kiddie level-, you are over-evaluating the skill it takes to open it. If you have the necessary skills to disable the navigation observer, then you can assume they are more capable than being able to inspect an element and have the amazingly, awe-inspiring, capacity for thought to change the thing that says disabled to enabled or remove it outright. |
As of the next release, the extension will ask and double-check the master password before performing important actions on the options page. |
Thank you :) |
If you edit the DOM element of the buttons in the settings, you can bypass the master password. E.g. json import is disabled (because importing overwrites the master password if hash isn't specified) because you've set a master password, if you edit the DOM element and remove
disabled=""
or change it toenabled=""
, it allows you to import a json because there's no security check.Presumably, this can be bypassed by generating a security token once the master password has been inputted and accepted that lasts for the entire session; as long as the page is open or for a certain amount of time. This would be nice if it was configurable.
The text was updated successfully, but these errors were encountered: