A naive question about security
Opened this issue · 9 comments
Hello,
I just recently started using the KeePassXC browser extension. It works great, but I'm wondering something about security. What's preventing a malicious website to query the extension to obtain database entries? What are the mechanisms in place to prevent the extension from being arbitrarily queried for credentials and coerced into fetching and giving to the website?
If the answer to this question does exists already, could you point me to it (I couldn't find it), and maybe it could be displayed more prominently somewhere in the docs? Maybe even right in the Readme file, with a "Security" section for example. It could help regular users understand and use the extension, as well as security-conscious and tech-savvy users.
Thank you for your answer 🙂
Maybe we could create a wiki page or a document where it describes how the extension prevents retrieving any credentials behind the user's back.
Here's a short list.
KeePassXC side:
- Database needs to be connected with the extension with a certain ID and and name. Without knowing these, user's database cannot be accessed.
- KeePassXC asks a confirmation before accessing any credentials by default. Even if there was some application that some how gets the connection keys to a database, no credentials are sent out without user knowing it. Unless the user has remembered a setting for an entry that this confirmation is not asked (or has disabled it globally in KeePassXC settings).
Extension side:
- Input fields that are transparent, too small to view, outside of the page's visible content, or just non-standard, are ignored. This can be overridden manually by using Custom Login Fields.
- Password filling is restricted to non-password on plain-text input fields.
- If input field(s) has/have been found, only after that a request will be sent to KeePassXC.
- Credentials visible in the UI only contains the credential title and username. The password is retrieved from the background script only during filling.
- Any content or elements the extension adds the web pages are wrapped inside Shadow DOM, which means the page scripts have no access to even the list of usernames that are shown to user.
Thank you for your detailed answer! Yes, I think it would be good to at least make mentions of these security measures either in the readme, or in the wiki with a link from the readme.
no credentials are sent out without user knowing it. Unless the user has remembered a setting for an entry that this confirmation is not asked
So if I understand correctly, all entries where, on the login from, I just have to click on the KeePassXC logo to input credentials without any other confirmation can be sent? Are these the ones where I check the "Remember" box in the modal below (pardon my French)?
Just to be sure to understand the list of security measures you list on "Extension side", could you tell me if the following scenario is possible and follow and correct my reasoning?
The user browses to a malicious website. This website contains input fields that are acceptable for the extension to not ignore. The matching credentials are retrieved from the connected DB and filled in the fields. A script on the website gathers the filled data and exfiltrate them before any form submit, or by forcing it.
If I understand correctly,
- There has to be a way for the extension/KeePassXC to know which credentials have to be retrieved from the DB. For that, they try to match the URL in the browser bar with the entries' saved URL. So nothing can happen if the URL in the browser bar does not match with one of the entries in the DB. Right?
Let's assume that the malicious website is accessible from a URL matching an entry in the DB: either because the user saved an illegitimate URL in a DB entry, because a legitimate website has been compromised and now serves malicious scripts, or because the attacker managed to redirect the user's traffic for a legitimate website to an attacker-controlled host in HTTP, or in HTTPS and the user ignored the browser warning on the illegitimate certificate (yes, it is a lot).
- Credentials for the URL are found and filled in the input fields which are acceptable for the extension to fill. With the Shadow DOM, scripts served by the malicious website do not have access to the data filled on the page by the extension, so they cannot silently exfiltrate it. But, can they force a submit of the form containing the input fields to a malicious page (either because the entire website is malicious, or by dynamically changing the target of the form)?
Another protection mechanism is that the extension doesn't just accept any old url to retrieve credentials from. It gets a signal from the webpage (or iframe) that credentials are requested and then uses the actual url of that webpage (or iframe) to narrow the request to KeePassXC. In other words, a malicious website can't just cycle through a bunch of urls trying to gather credentials from KeePassXC.
@droidmonkey Good to know! Thank you for this precision.
My questions and hypothetical scenario in my message above stand, about the possibility for a malicious website posing for a legitimate one to obtain the credentials for this particular website.
the user ignored the browser warning on the illegitimate certificate
Nothing we can do to protect you from this situation. There are security layers in place for a reason, once you breach the trust layer (valid certificate) then all bets are off.
because the user saved an illegitimate URL in a DB entry
In this case retrieving the credentials you previous stored/gave to the illegitimate website is rather moot.
can they force a submit of the form containing the input fields to a malicious page (either because the entire website is malicious, or by dynamically changing the target of the form)
In this case the website has been majorly breached or has not enabled Cross-Site-Script protection. There isn't much KeePassXC can do, at all, to protect you from this scenario.
Credentials for the URL are found and filled in the input fields which are acceptable for the extension to fill. With the Shadow DOM, scripts served by the malicious website do not have access to the data filled on the page by the extension, so they cannot silently exfiltrate it. But, can they force a submit of the form containing the input fields to a malicious page (either because the entire website is malicious, or by dynamically changing the target of the form)?
In theory every malicious browser extension there is can steal your credentials after you have filled them to the web page. There's nothing that we can do to prevent that. The only prevention is that any other script/extension doesn't have access to the data that is shown to you by the extension.
Ok, so to sum it up, if we put aside situations where the user makes a mistake (by saving a malicious URL in their DB or bypassing a certificate warning in their browser): there is no way that a website can steal credentials from a KeePassXC database using the browser extension, except if it is a legitimate website that has been breached and now embeds malicious scripts. Am I correct?
Ok, so to sum it up, if we put aside situations where the user makes a mistake (by saving a malicious URL in their DB or bypassing a certificate warning in their browser): there is no way that a website can steal credentials from a KeePassXC database using the browser extension, except if it is a legitimate website that has been breached and now embeds malicious scripts. Am I correct?
Yes. Problems arise if the website is breached, user has some malware or malicious browser extensions (including ours). Misusing the extension itself is quite difficult.
There's a cool permission trick you can use in Google Chrome. You can right-click the extension icon and change the extension's permissions so that it cannot access the page unless you first click the icon.
With this in place you don't get any autofill capabilities on any websites until you first opt-in by clicking the icon. This should dramatically reduce the attack surface since the extension won't be able to talk to the website unless you allow it to, and then for only a short period of time (usually until you've submitted the login form).
I don't know if this is possible in Firefox.