Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For Uphold wallet integration, we should protect against malicious extensions #4928

Closed
jsecretan opened this issue Jun 14, 2019 · 7 comments · Fixed by brave/brave-core#2946
Closed

For Uphold wallet integration, we should protect against malicious extensions #4928

jsecretan opened this issue Jun 14, 2019 · 7 comments · Fixed by brave/brave-core#2946
Assignees
@fmarier
Labels
feature/rewards priority/P1 A very extremely bad problem. We might push a hotfix for it. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/exclude security
Milestone
0.69.x - Release

Comments

@jsecretan
Copy link

Description

To prevent attacks by malicious extensions in our new sign in process for the integrated Uphold wallet, we should block access to our specific integrated wallet sign in URL to extensions. This URL from Uphold is going to be specifically dedicated to the purpose of our wallet integration, so blocking that URL should have no effect on legitimate extensions. This will include access through the WebRequest API and to sign in page generally (this includes scripting access to the page).

Misuse of the WebRequest API is something Chrome itself has to contend with - there are already blocks in place for the chrome web store. We should be able to look to https://cs.chromium.org/chromium/src/extensions/browser/api/web_request/web_request_permissions.cc?rcl=a367b3f7bd249d6e3feb13ee250b83baf821f3f3&l=238 as a way to implement blacklisting of the particular linking / redirect URL.

For blocking page level / scripting access we may be able to make use of the “withheld” permissions functionality that already exists for user granted host permissions for extensions. Currently you can set an extension to be granted permission to a particular site upon a user clicking the icon in the toolbar. It would be ideal if we can set an override so that all* extensions require on-click permissions for the uphold authorization pages, no matter their global permission setting.

This on-click permission facility seems like it would strike a good balance between us protecting the user and them being able to override for legitimate extensions. Since there is no associated request notification (the extension icon in the toolbar is simply shown within a differently colored circle) a user is unlikely to grant permissions by clicking the icon unless they have a legitimate need for that extension on this page.

*: A small whitelist for known password managers would likely be desirable

cc: @evq
@jsecretan jsecretan added the priority/P1 A very extremely bad problem. We might push a hotfix for it. label Jun 14, 2019
@NejcZdovc NejcZdovc added this to the 0.68.x - Nightly milestone Jun 15, 2019
@fmarier fmarier mentioned this issue Jun 25, 2019
Closed
32 tasks
fmarier added a commit to fmarier/brave-core that referenced this issue Jul 10, 2019
@fmarier
Prevent extensions from tampering with Uphold linking flow (brave/bra…
e46514f 
…ve-browser#4928)
@fmarier fmarier mentioned this issue Jul 17, 2019
Merged
32 tasks
fmarier added a commit to brave/brave-core that referenced this issue Jul 18, 2019
@fmarier
Hide Uphold linking flow from webRequest (brave/brave-browser#4928)
2efb4e6
fmarier added a commit to brave/brave-core that referenced this issue Jul 18, 2019
@fmarier
Withhold content scripts during Uphold linking flow (brave/brave-brow…
f3e7a4f 
…ser#4928)
@kjozwiak
Copy link
Member

Labelling as QA/Yes as there's STR/Test Cases in brave/brave-core#2946.

This was referenced Aug 22, 2019
Closed
Closed
Closed
@LaurenWags
Copy link
Member

LaurenWags commented Aug 27, 2019
edited by GeetaSarvadnya
Loading

Verified passed with

Brave 0.69.116 Chromium: 76.0.3809.100 (Official Build) beta (64-bit)
Revision ed9d447d30203dc5069e540f05079e493fc1c132-refs/branch-heads/3809@{#990}
OS Mac OS X

WebRequest Step 3:
Screen Shot 2019-08-27 at 12 12 50 PM

WebRequest Step 4:
Screen Shot 2019-08-27 at 12 13 21 PM

ContentScript Step 2 (sandbox):
Screen Shot 2019-08-27 at 12 13 21 PM
Screen Shot 2019-08-27 at 12 16 45 PM

ContentScript Step 3 (sandbox):
Screen Shot 2019-08-27 at 12 18 01 PM

ContentScript Step 4 (sandbox):
Screen Shot 2019-08-27 at 12 19 00 PM

ContentScript Step 2 (prod):
Screen Shot 2019-08-27 at 12 23 45 PM

ContentScript Step 3 (prod):
Screen Shot 2019-08-27 at 12 25 18 PM

WebRequest Step 2:

image

WebRequest Step 3:
image

WebRequest Step 4:
image

ContenScript performed for production and sandbox
ContentScript Step 2 :
image

ContentScript Step 3 :
image

ContentScript Step 4 :
image

Verification passed on

Brave 0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision 58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS Windows 10 OS Version 1803 (Build 17134.1006)

WebRequest Step 3:

image

WebRequest Step 4:

image

ContentScript Step 2 (sandbox):
image

ContentScript Step 3 (sandbox):
image

ContentScript Step 4 (sandbox):
image

ContentScript Step 2 (prod):
image

ContentScript Step 3 (prod):

image

@kjozwiak kjozwiak mentioned this issue Sep 23, 2019
Closed
@GeetaSarvadnya
Copy link

@fmarier step 2 from the test plan brave/brave-core#2946 is redirecting to the page below In Windows 0.69.128 Chromium: 77.0.3865.75

image

@fmarier
Copy link
Member

fmarier commented Sep 25, 2019

I updated the test plan at brave/brave-core#2946. The expected landing page is now fmarier.org due to a recent change I made to my testing extension.

@kyeotic
Copy link

kyeotic commented Oct 4, 2019
edited
Loading

@jsecretan This is really frustrating as it disables password managers. There is no indication in the UI that the disabling is intentional, and I just spent 20 minutes trying to figure out why Bitwarden wouldnt work on the uphold.com account creation page. Clicking the extensions and then clicking reload page to use extensions doesn't work, making it feel like a bug.

A way to re-enable extensions would be nice. In lieu of the ability to control what my browser does, an explanation about why would be appreciated.

@evq
Copy link
Member

evq commented Oct 4, 2019

@kyeotic if clicking the extension and the reload page to use this extension prompt doesn't work then that is a bug. we explicitly hooked into the extension permission system to enable such a use case

@fmarier should we create a new issue or track here?

@kyeotic
Copy link

kyeotic commented Oct 4, 2019
edited
Loading

@evq Ah, good to know its a bug. I will open an issue for it.

Scratch that: someone beat me to it

@fmarier fmarier mentioned this issue Oct 4, 2019
Closed
tmancey pushed a commit that referenced this issue Apr 9, 2020
@brave-browser-releases
Uplift of #4928 (squashed) to beta
11516d4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
feature/rewards priority/P1 A very extremely bad problem. We might push a hotfix for it. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/exclude security
Projects
None yet
Milestone
0.69.x - Release