Accessing Chrome Browser Passwords (Read+Write) from an Extension - google-chrome-extension

Is it possible to access the Chrome stored passwords via a Chrome extension?
We want to create secure a team-password sharing plugin, and it would be cool to not need to rewrite the form-filling code and so on.

I think this is not possible. If any extension could access the password store, that would be a security problem.
I would advice to create your own password store. Make sure to protect it sufficiently.

No there is no way to access Chrome stored passwords via a Chrome extension, you only can delete them using chrome browsingData API.
Maybe what you are looking for is Credential Management API, Unfortunately there is no way currently that extension can register itself as a credential manager, there is also bug filed regarding that.

Related

Can content inside a sandboxed iframe be read/spied by browser extensions? if not should I use iframe to secure user credentials?

Apart from all the other typical security best practices I'm wondering about this, since I lately read some articles talking about how browser extensions can spy anything their user does. So that we shouldn't trust them.
Therefore in order to give users and additional layer of protection should I process all users credential and sensitive info inside an iframe inside my webpages?
Can content inside a sandboxed iframe be read/spied by browser
extensions?
Yes
Could I use iframe to secure user credentials?
Quick answer, no.
When a user installs a chrome extension the extension can do basically anything in the website to access the user credentials. The extension has also access to the iframes that the page generates.
My proposed solutions to overcome this two issues and keep the website feel "secure" are the following:
If the end goal is to secure the content that your user will put in the website, and by no mean you want to let the user put content if there are other kind of extensions running in the page, what you can put is some kind of pop up in the page blocking the access to the user until he is accessing the website without extensions.
Another solution you could propose to the user is to go incognito mode, as there are many options to disallow extensions in incognito without having to force him to uninstall all of the extensions that he has on his browser. This could also make less users leave your page, as if you force him to uninstall of the extensions on his browser it might make him leave your page if it's not a clear enough reason for him.
If you do know which are the extensions that shouldn't be blocked or prevented because they are harmful or known to have some kind of shady behaviour, what you can do is checkout if the user has them installed with this solution Checking if user has a certain extension installed and then print a message to him saying he can't continue until he uninstalls those extensions.

How to restrict access to my firefox addon published on addons.mozilla.org

I developed an addon for firefox which I want to distribute among my group. I don't want to make it visible to everyone. How can I put that restriction for my published addon.
I did the same for chrome extension where my listed emails can install my chrome extension only.
Such an option is not available for extensions listed on AMO. It's either available for everyone or not at all.
Unlike CWS, with Firefox you can opt to self-distribute the extension (AMO will only do the signing, hosting and updating is on you), and then how you control access is up to you.
However, once someone has the XPI file, they can share it with anyone. This is technically true of Chrome extensions as well: once installed, they can be ripped and shared.
If you truly need to limit functionality for non-members, the only way is to offload some non-trivial part of the program to a server that requires access credentials.

How protect chrome extension of reupload

Everybody can download chrome extension, edit and reupload, how i can protect my chrome extension and what i need to do if i see someone reupload my chrome extension?
You can't bulletproof-protect it. The only thing you can reasonably guarantee to be unique is the extension ID for published items - but any checks you would do against it can be circumvented.
It's not a technical problem. It's a social/legal problem.
If you see someone doing it, you should use the Report Abuse function of the Web Store.
What other does is to load the "actual" code of their extension remotely (via CDN)
The code that is packaged with chrome extension just act as loader or their "real" extension code.
See Streak's InboxSDK (sdk to build chrome extensions for gmail). It uses the same concept. https://www.inboxsdk.com/docs/

access chrome password manager

I am writing a chrome extension, and I want to find out if the built-in password manager has saved the password of a specific website.
I don't want to know the password, just to find out if there is one for this website.
do you have any ideas how can I do this?
There is no API to interact with the password manager.
There may be very hacky ways of inspecting the loaded login form, but I don't think you're looking for those.

Use Autoupdating in Google Chrome Web Store

I'm making an extension for Google Chrome and I use code for autoupdating. This is because the extension isn't yet in Google Chrome webstore. But in a few days I will upload it to the Webstore and Google says you can use the Webstores autoupdating. But if I don't want to use that, will my app still update by my own server, like the way it does now?
Thanks in advance!!
I agree that docs are not very clear about this:
If you publish your extension using the Chrome Developer Dashboard,
you can ignore this page. You can use the dashboard to release updated
versions of your extension to users, as well as to the Chrome Web
Store.
But, I've tested it myself and your update_url setting in manifest.json will be overridden when you publish your extension via Chrome Web Store (CWS). In other words, publishing to CWS means that you can't use self hosted autoupdating anymore.
The reasons for that, that I could think of, may be as follows:
CWS wants to keep track of each extension stats (i.e. number of users using each extension)
privacy concerns (people don't want you to track them when they update extension)
security concerns (each extension update must go through CWS verification process)
If you want to track people (please don't) use Google Analytics on i.e. background page of your extension.

Resources