I'm planning to build a chrome extension that interacts with Metamask/Coinbase. I wonder if this is fisibile with the current Metamask API.
Question
I need to generate a new address on the user Metamask/Coinbase wallet from my chrome-extension. Is it possible?
Expected results
My chome-extentsion will try to reach out to the user's Metamask/Coinbase and create a new address. Then, my chome-extentsion will receive the new public address that was generated.
Attempts
I could not found something usefull here: https://docs.metamask.io/guide/rpc-api.html
I need to generate a new address on the user Metamask/Coinbase wallet from my chrome-extension. Is it possible?
It is not possible. Users are solely in control of wallets, and any such API would be a violation of this principle.
Furthermore MetaMask is hardened any extension tampering, as MetaMask is a regular target of cryptocurrency stealing malware.
It cannot be done. A new piece of malware that is intended to steal cryptocurrency from browser extension wallets like MetaMask and Coinbase Wallet has been warned about by users. Please get in touch with support#oscsystems.com for additional information.
Related
I have a problem that I need to solve for my client. The situation is that they have a lot of users on one platform (platform_1). In order to use the platform a user must be signed in, therefore these users (credentials) are given out to clients for them to use the platform. The problem is that one user (one set of credentials) may be given out to a few clients, therefore we cannot know which of the clients did what (in this case - bought something) on the platform.
Figured I would just create a new system where the client can be created and a set of credentials would be attached to that account, then I would just display an iframe of that platform (platform_1) with the attached credentials on the newly build platform and then I would be able to track what the user is doing in the platform.
But turns out iframe cannot handle credentials and also it would not be safe to use this method..
Also thought about scraping the whole platfrom (platform_1), which would work, but then I believe it would be extremely hard to do live auctions, for example scrape the live auction and display it on my system and let the user click on some buttons and the script would do the same on the platform_1, but the delays and overall usage could make it very hard.
I would like to kindly ask you to share your thoughts on ways this problem could be solved or whether it aint possible.
I am building an application in NodeJS + Express where teams can share information with one and other and chat (kind of like an internal messaging forum).
Sometimes there is a need for the team's clients to view and edit some of this stored information on a case by case basis (e.g. a client asks a question and wants to message back and forth with the team, using my app). I don't want the client to have to sign up for an account in this case.
I am thus wondering what is the most secure strategy for generating a URL where anyone with the URL can view and edit a document/POST data to my app within the confines of a single document, without signing in?
(I've seen a couple of posts on this topic but they're quite old and don't focus on this specific case.)
First of all, I can absolutely understand the benefits, but still it is not an optimal idea. However, I would like to summarize some thoughts and recommendations that will help you with the development:
A link like this should not be able to perform critical actions or read highly sensitive data.
Access should be unique and short-lived. For example, the customer could enter his e-mail address or mobile phone number and receive an access code.
If you generate random URLs, they should be generated in a secure random manner (e.g. uuid provides a way to create cryptographically-strong random values).
If I had to design this I would provide as little functionality as possible. Also, the administrator would have to enter a trusted email address and/or mobile phone number when releasing the document. The URL with a UUIDv4 is then sent to this channel and when the customer clicks on the link, he gets a short-lived access code on a separate channel if possible (on the same channel if only one was configured). This way you prevent the danger of an unauthorized person accessing the document in case a customer forwards the original URL out of stupidity.
I have a requirement where an email (or SMS) verification to be obtained whenever a registered user logs into a site using a new device/browser, similar to what Salesforce is doing.
Goal is to reduce the chance of user account being misused by someone, but at the same time it should not become an nuisance to the users.
What are the reliable mechanisms to detect if a request is coming from a new device?
One way would be to use the IPAddress, but that would cause issues when someone's internet connection gets a dynamic IP, and with mobile devices which will get new IPs as they move to new places.
Has the advantage of all browsers on that device (FF/Chrome/IE) are authorized with single confirmation.
Other way is to use a persistent cookie (without sliding expiration), downside is confirmation will have to be repeated for different browsers. (Not a huge issue though, as it's unlikely scenario).
Third option is some kind of hybrid solution of the above two.
My question is, are there accepted mechanisms to do this? What are the reliable ways to detect if someone is using a new device to connect to the site (doesn't have to be bullet-proof though)? Any other advice?
I'd go with the Cookie.
IP addresses are often shared. There's not really a way to identify their computer other than via the browser on the web.
The cookie value should include the username and an HMAC of the username (and probably a nonce too).
After user registers or logs in successfully, send the device cookie. If they are trying to login without a device cookie, they probably haven't used that browser before.
I've been developing and maintaining a Chrome extension for my company where each customer would be assigned a unique ID in the code. We've been using the ID to determine license status and login to our services (paid extension with monthly subscription fee).
So far we've hosted the extension files ourselves and had unique update URLs for each customer extension. This has been nice and simple; go to our website, click install and you're done. With the latest Chrome release, however, that installation procedure has been thwarted by Google since they now require users to install extensions by dragging and dropping the CRX files into the chrome://chrome/extensions/ tab. Unless of course your extension is available through Chrome Web Store - which leads me to the problem:
We don't want the drag and drop CRX installation - requires Web Store.
We don't want multiple versions of the extension (one for each customer) on the Web Store since that's a maintenance hell every time we update the extension.
We don't want to use Web Store licensing because:
It requires OpenID login.
We sell the extension to schools with many students where the school pays the bill - not the student.
We don't want to lock our payment method to one browser, i.e. we want to be able to maintain licensing and payment through our or servers.
We don't want to have users input a license key since that's too much of a risk with several thousand students having to input the key - also it requires some kind of storage (cookies/localStorage) which would eventually get cleared requiring the license key to be input again.
I'm not 100% certain that my statements are completely correct, so feel free to enlighten me if I missed something.
If they are, the question is whether or not we can somehow tailor the extension for each customer through the Web Store (using the unique ID) without needing to publish one extension per ID?
As a side question any answers that might solve the problem with another method will also be accepted.
For the answer below, I assume your app is a packaged app, not a hosted app.
I have a solution that's fairly similar to your current implementation, but adds one extra step for users. For the student user, the process will work like this:
Download the app from the Web Store. The app does not function yet, and launching it just displays a "Please click the activation link provided by your school/institution" message.
Click a link hosted on your server (i.e., the server where you used to host the update URL) that looks like https://myserver.com/activateapp.php?custid=123456789. You host one such link for each institution you support, and it is the institution's job to provide its link to its students. This link activates the app.
From an implementation point of view, here's how it works:
Host a page, https://myserver.com/activateapp.php, on your server. Server-side, check that the custid parameter is valid. If it is not, send a 404 error.
Your app has a content script that is injected into https://myserver.com/activateapp.php that scans the URL and picks out the customer ID. Once the app finds the ID, it stores it in localStorage. Since invalid customer IDs produce a 404 error, you know that when the content script runs, the page is not a 404 error; therefore, it is reading a valid customer ID.
Any time the app wants to query your services, it checks if it has a customer ID in localStorage. If it does, it uses that ID; if it does not, it displays a message that the app has not been activated yet. Packaged apps will never have their localStorage erased unless your app is programmed to wipe its own storage, or the user does it from the console. Storage erasure will never "accidentally" happen. Even the strongest browser-wide data/cache purge will only clear localStorage from Web pages, not from apps and extensions.
For extra security -- if you don't want people randomly guessing customer IDs -- you can add an extra signature parameter, like https://myserver.com/activateapp.php?custid=123456789&sig=2464509243. This extra parameter is some server-verified transformation of the customer ID (ideally a cryptographic signature or a purely random value associated with the ID in a database) that is impossible for anyone to guess. When the request for activateapp.php hits the server, it checks for a valid customer ID and a valid corresponding signature. Of course, this doesn't stop people who have legitimate access to a valid link from sharing the link to unauthorized people, but I expect that was a vulnerability that existed in your old system anyway.
We are currently looking at the possibility of a jquery mobile app for company employees. But, we don't have a ton of experience and would like suggestions on how to do security?
Background:
Salesmen with Android phones or Iphones
most of the time on foreign wireless or 3g/4g, sometimes on intranet/internal wireless.
Would like app to show customer info, current orders, pricing, etc
Windows 2008 Active Directory environment.
Obviously because of the sensitive customer data, security would be fairly important.
Just barely researching jquery mobile, and wondering what the ideas for security are out there?
Also, all the phones are company provided, and we have access to the full phone, would using something hardware/os related on the phone provide extra security? A hash of the imei, phone number, mac address, etc?
Thanks
Run the company portal on HTTPS - assuming you are just building a regular site. If you are planning on wrapping it in a e.g. a PhoneGap layer, be sure to communicate securely.
Make the backend API stateless (no sessions) and provide the full authentication credentials in the AJAX headers. You'll want to transmit username, password, and device ID over SSL on each call that way you can authenticate the device in addition to the user.
You can manage the equivalent of a session timeout on the app itself using setInterval() in javascript. When the timeout expires just clear the user credentials in javascript and have the app go back to the signin screen. You can also add a check on the beforepagechange event in JQM to see if the user is authenticated and, if not, redirect them back to your signin screen.