![]() With a restricted permissions API key, the attacker can only work within the bounds of those perms. All you can do is help restrict the possibilities - with the direct password, and attacker can do all sorts of stuff like change the password. ![]() In the end, whatever method you use to secure it, an attacker stealing the data directory will be able to do some damage. This way, an attacker can only work within the bounds of what your extension can do. Otherwise, store the password on your server, and have the server do everything - just use your extension for communicating with the server and displaying the result. Most OAuth-enabled sites only give limited permissions via OAuth. Many sites (like Twitter) support OAuth, that's another thing you can try. Of course, if the data directory is stolen, then the attacker has access to these permissions. For example, you can have your extension request partial permissions to the Google account. Instead, I suggest you see if the service has an authorization API. All an attacker has to do is copy over the user data directory ( ~/.config/google-chrome on Linux somewhere in AppData on Windows), start Chrome on their own pc with the -user-data-dir flag set to the copied directory, and use the app - the stored credentials will be used to login to whatever site you're using (and they can be easily sniffed via the developer tools). Even if the database ( localStorage/whatever) is encrypted. Anyone with read access to your computer can get access to the password.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |