access chrome password manager - google-chrome-extension

I am writing a chrome extension, and I want to find out if the built-in password manager has saved the password of a specific website.
I don't want to know the password, just to find out if there is one for this website.
do you have any ideas how can I do this?

There is no API to interact with the password manager.
There may be very hacky ways of inspecting the loaded login form, but I don't think you're looking for those.

Related

Best practice for implementing a login within a Chrome extension

I am trying to find the best way to incorporate a login form inside my extension's popup page just like Passbolt password manager.
I have endlessly searched for solutions and examples only to find some that do not go into much detail (like OAuth). Furthermore, I am trying to completely avoid having to prompt a popup login page to do the job.
Is there any way to securely send over the credentials to my API's controller directly from the extension?
Any examples or resources would be very helpful.

Can content inside a sandboxed iframe be read/spied by browser extensions? if not should I use iframe to secure user credentials?

Apart from all the other typical security best practices I'm wondering about this, since I lately read some articles talking about how browser extensions can spy anything their user does. So that we shouldn't trust them.
Therefore in order to give users and additional layer of protection should I process all users credential and sensitive info inside an iframe inside my webpages?
Can content inside a sandboxed iframe be read/spied by browser
extensions?
Yes
Could I use iframe to secure user credentials?
Quick answer, no.
When a user installs a chrome extension the extension can do basically anything in the website to access the user credentials. The extension has also access to the iframes that the page generates.
My proposed solutions to overcome this two issues and keep the website feel "secure" are the following:
If the end goal is to secure the content that your user will put in the website, and by no mean you want to let the user put content if there are other kind of extensions running in the page, what you can put is some kind of pop up in the page blocking the access to the user until he is accessing the website without extensions.
Another solution you could propose to the user is to go incognito mode, as there are many options to disallow extensions in incognito without having to force him to uninstall all of the extensions that he has on his browser. This could also make less users leave your page, as if you force him to uninstall of the extensions on his browser it might make him leave your page if it's not a clear enough reason for him.
If you do know which are the extensions that shouldn't be blocked or prevented because they are harmful or known to have some kind of shady behaviour, what you can do is checkout if the user has them installed with this solution Checking if user has a certain extension installed and then print a message to him saying he can't continue until he uninstalls those extensions.

Accessing Chrome Browser Passwords (Read+Write) from an Extension

Is it possible to access the Chrome stored passwords via a Chrome extension?
We want to create secure a team-password sharing plugin, and it would be cool to not need to rewrite the form-filling code and so on.
I think this is not possible. If any extension could access the password store, that would be a security problem.
I would advice to create your own password store. Make sure to protect it sufficiently.
No there is no way to access Chrome stored passwords via a Chrome extension, you only can delete them using chrome browsingData API.
Maybe what you are looking for is Credential Management API, Unfortunately there is no way currently that extension can register itself as a credential manager, there is also bug filed regarding that.

How to hidden install extension?

Is there a way to install a crossrider extension on a user's computer without letting him/her know it? My website requires this when a user click on a "set as homepage" link.
Thanks for any help.
Changing the user's home page is generaly concidered as a very annoying thing to do. You can look at this previous discution.
Installing an extension without warning the user is not possible in a normal way because of obvious security reasons. When you know what kind of things you can do with google extension, it's better like this. It should be a huge problem if an extension can install himself without warn and send your password or personnal information like your bank credentials...

saving username password in option.html and loading them automatically

I have created 2 extensions for websites that i do not own and they do not have an api.
when you open the extension, there will be a login screen, but when you close it, you'll be logged out, i want to either save the cookies so when you reopen the extension you'll be logged in or to save the password like lastpass and create an option page, but:
1- I do not want to host the database on my vps, coz i don't want to pay to maintain the extension if i have many users, and i don't want to keep protecting my database from hackers till death :)
2- I do not want to host it on any paid service
unfortunately, lastpass doesn't have an api, so i'm thinking of storing the username and password on the user's pc, and i do not care if he got hacked because it is his responsibility to keep his pc secured and not mine :) any idea or tutorial on how to do it?
and by the way the websites are created using .net framework
You can store information between browser restarts in localStorage.

Resources