user-passcode stored in plaintext and visible after session

[edeykholt]

Repro:

1. Install and configure the extension
2. enter passcode as usual
3. close the browser
4. install a "Storage Explorer" extension from the chrome web store
5. launch the extension from the action icon button
6. right-click on the action popup, and select Inspect
7. In Developer Tools, select the Storage Explorer and view the chrome.storage.local area

Results:
See the user-passcode. Sometimes, when the extension is aborted abnormally, no passcode entry is required upon launch.... maybe days later.

Expected Results:
Should instead use chrome.storage.session, which would clear after closing Chrome. Could also take other precautions to clear the cached user-passcode.

[2byrds]

Thx @edeykholt . @HunnySajid let's prioritize this tomorrow.

[HunnySajid]

@edeykholt thank you for pointing this out.
As discussed with @2byrds
Initially, it was intentional move to keep user passcode in storage. The idea was to keep extension UNLOCK for specific time even if browser is closed and restarted.
Now, we will move passcode to session storage to make it more secure.
This way, extension would be unlocked for specific time during the browser session and user would have to unlock again if browser is closed. I'll generate a PR soon. Thanks

[HunnySajid]

@edeykholt the above mentioned changes have been added here
Now the passcode and relevant info is stored in session storage instead of the localstorage.
You may try the changes and then we can close this issue.
Thanks

[edeykholt]

Much improved, thank you, but the "unlocked for a specific time" implementation isn't what I'd expect. Scenario:

1. Start an interaction that leaves the action popup open (e.g. after signing the headers to access the status page, then click on the extension's action icon)
2. Walk away for a long time.
3. Come back, and the popup is still open, with user-passcode still in the chrome.storage.session area.
   

[HunnySajid]

Much improved, thank you, but the "unlocked for a specific time" implementation isn't what I'd expect. Scenario:

1. Start an interaction that leaves the action popup open (e.g. after signing the headers to access the status page, then click on the extension's action icon)
2. Walk away for a long time.
3. Come back, and the popup is still open, with user-passcode still in the chrome.storage.session area.
   

I understand that now. Thank you for the clarification.
Actually, this is an intended behaviour. We do not want extension to be locked (session to end) if popup is still open. This is because there is a chance that user might still be interacting with extension and it can get locked in middle of an operation.

But I agree with your concern, I think we should keep passcode in encrypted form in session storage instead of storing it as plain text. That can help us to make it secure. But I don't think extension should be locked forcefully if popup is open
What do you think?
cc: @2byrds

[edeykholt]

My opinion is that it should definitely lock and clear the passcode on inactivity exceeding ~5 minutes.

Cleartext in session storage isn't as big of a concern for me relative to this, since the encryption key would probably be discoverable via the source code. Plus, there are other exposures of the passcode, such as in the extension's service-worker console output. See image. The team could create on another backlog item for hardening these types of areas. I'm working on some concepts in KERI Auth extension related to having the user providing a password (or with webauthn and PRF -- see https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension), then using that material to encrypt.

[2byrds]

@HunnySajid what is the status here?

[HunnySajid]

@HunnySajid what is the status here?

No further development has been made on this. I would look into this and we can discuss about the possibilities.