0

I am working on crypto-wallet and ran into a data storage security issue. Such data as passphrase, password etc are storing in encrypted form using chrome.storage But I need a password every time when I want to access my app and to resolve this i want to store some session object.

Chrome team will migrate to manifest v3 soon without v2 support thats why i cant using persistent background script and store data in it. Maintaining a persistent service worker session is also not a good idea.

I found some info about chrome.storage.session that allows to store some data without persisting to the disk.

The main concern is whether someone can access this storage and get data from there or change them? is it safe?

I will be glad to any suggestions and ideas

Eugene Vajda
  • 25
  • 9

1 Answers1

1

chrome.storage.session was created exactly for this use case of storing sensitive data like passwords in memory, so the very idea for its existence is that it's safe, however there's one bug: your own content script can read it even if your background script explicitly disallowed it, which means that a site can utilize a sidechannel attack or a 0-day vulnerability to break through the world isolation barrier and gain access to the globals of the content script.

Until the bug is fixed the workaround is to save the sensitive globals like chrome in a local variable inside IIFE and delete it from the global scope:

(() => {
  const {chrome} = window;
  delete window.chrome;
  // ...........
  // ......... your entire content script is inside IIFE
  // ......... and it should use `chrome` directly, not `window.chrome`
  // ......
})();
wOxxOm
  • 65,848
  • 11
  • 132
  • 136