Security issue: extension stores personal information and credit card information in plaintext

Question

Security issue: extension stores personal information and credit card information in plaintext

Opened this issue 5 years ago · 1 comments

The extension uses chrome.storage.local to store all the autofill information. All profile information is accessible in plaintext in the file in Windows:

%APPDATA%\Local\Google\Chrome\User Data\<Profile>\Local Extension Settings\gdhmefadngapdfphedlcimcdplachcip\000003.log

(same applies for Mac, Linux), but in different directories where Chrome extension data is stored.

Google themselves have said not to store sensitive information using chrome.storage:
https://developer.chrome.com/apps/storage

It is easy for any chrome app or native app to access that file.

Given the nature of how this extension I am not sure how to completely remediate this. Perhaps store the information using encryption, and unlocking it with a password prompt for the user?

Answer 1 · 2020-05-10T12:39:20.000Z

What about using something like CryptoJS

const encrypted = CryptoJS.AES.encrypt('Message', 'Secret Passphrase');
const decrypted = CryptoJS.AES.decrypt(encrypted, 'Secret Passphrase');