Security issue: extension stores personal information and credit card information in plaintext
Opened this issue · 1 comments
carlzoo commented
The extension uses chrome.storage.local to store all the autofill information. All profile information is accessible in plaintext in the file in Windows:
%APPDATA%\Local\Google\Chrome\User Data\<Profile>\Local Extension Settings\gdhmefadngapdfphedlcimcdplachcip\000003.log
(same applies for Mac, Linux), but in different directories where Chrome extension data is stored.
Google themselves have said not to store sensitive information using chrome.storage:
https://developer.chrome.com/apps/storage
It is easy for any chrome app or native app to access that file.
Given the nature of how this extension I am not sure how to completely remediate this. Perhaps store the information using encryption, and unlocking it with a password prompt for the user?