Security Concerns #1
Comments
|
There are two parts to such an attack/threat model: Recovery of the secretSince the key is static, it may be extracted by inspecting the JavaScript bundle that is shipped to the browser. While client-side code has no such capability, browser extensions can inspect (and modify) network request payloads. So a malicious extension could extract the key. Arbitrary code executionWe've already covered a malicious browser extension, that would have access to the origin local storage and the key. Another would be arbitrary code execution from a third party. Since modern applications include hundreds (if not thousands) of dependencies, some of which get bundled in the final code that is executed on the client, it is possible that some untrusted code may access the local storage. To that, we can add unvetted runtime inclusion of third party code (eg: Google Tag Manager). Coupled with the first part, it would allow them to use an instance of As a side note, this package was an experiment, I'm not sure it's actually possible to protect any kind of secret in the browser until browser APIs offer an interface to the system's keychain. The use of hardware security keys (eg: Yubikey) or enforcing to use modern authentication systems (like WebAuthn / passkeys) may help provide a solution. This is why I'm not publishing v1.0.0 in this state (there will need to be many breaking changes until an eventual v1). |
|
Thanks, this is very helpful. |
Hello, First I want to thank you for your effort to the open source community.
I saw in the doc you said that:
"It will not be secure against an attacker that inspects the source code of the page (eg: browser extensions) to find the key and can run arbitrary scripts on your origin to decrypt the stored state."Can you please give some light on this statement, or give us a real world example on how an attacker could reach the private key?
Thank you.
The text was updated successfully, but these errors were encountered: