How secure is it really?

[GsHeri]

Heya, i'm sorry if this is a stupid question, i'm no security expert. but if everything has to be two-way, then the secret has to be accessible for every attacker... right? so is it really just obfuscating the data, or is there a real encryption at work here, which is hard (or virtually impossible?) to break?

would someone explain it to me? thanks :)

[ux-engineer]

I was thinking the same...how is it?

[linkdd]

From what I understand, the key used to perform the encryption is encrypted with a metaKey (see src/utils.js its value is _secure__ls__metadata) and then stored in the local storage.

It seems we can't override the value of this key, so IMHO it is not secure at all.

[karelbilek]

It's not secure at all. The keys are right there, in the localstorage.

Please, don't use this project for anything. It is dangerous.

I tried to raise an issue because this project is irresponsible with their use of "secure" in marketing it, but they deleted the issue without even commenting.

[qxygene]

I dont agree with you.

var ls1 = new SecureLS({encodingType: 'des', encryptionSecret: 'my-secret-key-1'});

Try before commenting.

[vicenterusso]

Do we have a consensus on this matter?

Is this really secure?

I'd like to see some demo POC

[qxygene]

Try to read this data;

U2FsdGVkX1+90T12L1muE9LFKA9Q3oAaIq6KOLvv1A33JZ8udhFsURiCqVS0JaqrIQ5AWVis+JlN/TWWz3okf0Hl1Id3X728jzMlMKKvJWjlF/wjEWKQlGsV791FMLomS09Yoi2sko8ohF+VPpy+LglqxRIUqTvOua8iLJLngcTRMIib1gY4UZ0sGrcJqNiyoQNWxW5j5pn5nze5EpTwbZgwnvK4vOxzpv00CqfxtILsJfEM4oGSJ6zGb5Vk5iuPlRoOMYqMWp9lcicgN98xb4jNnTsgKWf/G71p4SlCFePlrkra4svgujbNKMstOA06Hi6fvipyHps2rPJQ763jdbYTuy3f5Yv1U7ri0RS5DNOKPOqr0p8xmg8PCDJa70XgWIUKLeW6aDZpSg73YonmRw0MX6cKPtAZ50h69K1G6wXq0I8YfWTmsxQt8siVshTvDQxKr6n/CWR6pfcjPokLinrpjKifmCSCihDfKMf3DISjKbUk+Cn9jK0dZjemHkb0sZUhzojWjSyWKy2w3vSxG0uIKqmy2Ihbm8fu1BEpnKwgXbz0Fh05lhJEy+4VBpsTgN795fagbCHrMGEXzv59TsdtmG+TACkkziPslXgZKP0VyTnapXZD24tLpt8qmmkNWa2lD09LhNUXfMGCe1L1OD02TyylCPz9ikpOOw+ONWfgJPs/F5QJ/V5w10e8qUTcooGNnMV7Syjar9+W1tGfL9/Z+3WNrkRCgKGR5KIh52x3r/EMSDGiliHIzIAZIp7RTuWzZ0CgmwfVKc+o3M8xg4pJYxH1HVd/Wk59cH0mEvmHC84yq5D54sSNN9f7eYbQ2ICch15juLeYqc8zRUgEDzzVXEHkdhlQ+sT+eryj71Aqpu/yVYP/Xz+JU9vAFcumTwTVFgb9syC/VqDkQieP2b8ehhYiN7al/ZKITEQKvTLXP8iLoaxwUmc+V1zPloQ2L/FDhczGDKwRslzr8xEWFWDizNKVskua2B2VZZcBsGrV+/bpjc27JFCSTkYr3tDVfJLmc9d4NmcniUOQWNcroVixG/3+Wadh+NnCrIBNiCegPOm2lziSMt7a2dklHaZqLV3daYbtRpGTvQXvKKsEk57hA/w80lqLwwbJawwxA0wxZ5+yqp2cvYCmDF6eRxYa+N/ajPWRhYUbTTF2nrbeOQhUETmzwFhkJzB5OmsxFZ+82Lh0kHHVaErDMJnBjG+4TdF9tTck2MsRFqXKOAxzZAkZjf04/CAP2Irb5oTEMpXzVupS+H735pApM6UGN8CLEJRDDQXld4XJUUBP1ormbCATtGgqB04SJFb2BIU6bfyHm6ntGYcuZd9YAfa3lquJ7ucsb3ErBeMAqgal0M4z9KbC5hAhV/8TXfmNLx4jT0p/MkqPaYBOK28bDc3qy8+mJdCyW9p3/QZg4ydtJGGGYI73F8hLNCzqGhODOeVwobgd7APUa+88IdQBAY0BLAk9ekNpRwTMH0/fwPXmPxv5N97628mSRXvm1PeTeamirsmMP9AKTJHbaq5qHNM2ufQ8CmGgAgYuTBBalQ8+xe/emce9RLE9hut1BT1ijekRJa6sNYWcV9kBjCjUw6VN7YlCT5Rd3R1juLJBVLVyI/JQIrltzI2HYdjUdphFK1OKkvdjw2/51N7IIg+hWy1ud1WVdrfCnRPjIByc+0Kl3O3yreRgPWH4VzTjiQAQP3fDwk/OzXeylKVJVAn/cg6Sy/Bl0vafW74t4Ab4OleE+CR8oW1COVROIG0XjKiKYw2zrEzjjjyhkBK2jnpZVvQUjX6Gf4a8UM8zKYvwNCxaDZZnbGFIjTUEsgehnR3VV14C8zAILV62XyRrD+A3IAPqDdelmEwLLoQ96vUxVbQlplcuGRvm/ge32FHMP8w3gzrICNV09zrqCQfpshgY6ZJgtZCb3z8fMgQ4ukxAI77TkfpwrqMvi/St9O5n1omaKQPNvbFnrW8x96alg4BAeloOD7Yy4RWXcjd4IpEulvlBpG3Qe09NcuVInYHbk4nqTcViPuTSnwMBd8brzHswS6WnRXfX1aoNpepg6sq3L7KH6z/AtUgGPBjofs8MExaaLCXTwZXtVed1FBb7uCFFgJ8HKV7yaOvpU7BlfybiaqzIUioqZrF4d8G0pbsz7WQ8bLfvswEC97ftpsgAPsDtDpe2kmiabUgKDW1RAaMEXzmguH5HEK8CcevBweyvzLsAcVv5j5jpVwjq01/V0e6wAN3IZ4933H9Vm0+u1/t4dHGp97FN111nbXkWEwvTIfVr8+4SUP8pBM06U3Ao38KA3jTHHdoHRHcfovISK/fWN44C1CWiF+kL6n9lj6Yrvfbd0GU1O+pd+hiRTgeXMywyq941KAe5GdFBtdMnctoZy6DXibcgmLWE9WASjykb8GourVGdZNPX5HO/cfPWK8/ZhulalZbvG1m3pv5mOV8tR+wLz8aekvEFTET8AhhwuoMRo+aFrWEhiFU++XUKRVnw3aiu0s9VIxgEz2ytBoPaUr4uvDea9SaiIfle3ng5bCA1SB8jO85WLCwYFTnll1RCnjG597bMz+XpY2GqkY+GPne5kIY4xDurtp4K9sTY192KbFkv43/luY9vx6wQx75ctO/o+kKDUPzZOhUhfIre7g4HWPsIz0f9gjGdhdB4WzLxjLeWETRGh752TpvLfMAJCdCFTRKTp1JW+Ctm8rXCaObQzDd9GjFTrvhyG8Q5+4xPs45mNwdrNegisoJWkBAJxb7ol/xdMBUhvqeVd/yufl/qPcf1XtR+sDXr56+IHcf4jVRmW/YfzlDF9K/2dM2qr8S4BP8kcKoGLmZStCnAV5LU5hqp4qmTCY7vdQQb5QNdJNPsJ5HX2rQ7xDR/5QDKIsQAjTBjJigqDr3oo1kgcLbOUIYGQB8RcXufN+37nJbb6mM0POzVqvlc7yHKkXZd6qWX275UsPf/oudVtOhFc7GrwvmU5uvFpLsTgvQeLydxpJgaNPVpNKE1vNJzWs+wuZN7gx2+NMsItbHYqucSIL16fUPndxu+6CRWWBeMabUI00HCOcBPI49SJFQT6RQ1sIuQrlSC2m1ZKvNg6tp+Q1f8TJ9ZdrljQcL+DHrowCDlPKTCHM0HopiIBOlF6Thrc7JQb1LykWJH4kAdaa4Oktmx8oyTBwg3V7nS8iCoCUoInqwnvn8INRqhXVhO3oeex9L/bVL9sp+UaHulv5Xx9lK2DZNctx+8g3AI1LwHsIsXnYLZirUbqmyiRlCUPJoNUcvAoHdov5ZnMTjZrEyVaSkEVPaeRALkiKpoJeb2McLkvs3wE3XB/pZgVpoZR9lFpVqUiDN2TkhyrhSHz5NDdVBnBg6LSaJpE2nL1s4ww0RExKpVnDO7eSua1ZGW29Za+v8Xb2tQaUAbCsibcNDkYj9D7YfpNGvs26LwMvHT5BykK62GBJMl+5IBg87t+npzkDc69GutMnFQdStFClaAvYPtKJPcy/9lwkfLM0XChApv+HnXfqBZM0byK1ulRPa1RTYpEXeoU223PNmQJpUYXDsCyVuJ6cxm8CThoPmmxgwLA7kvFJBx+T0/Tz9t/x1aKRkHMJB/0HB2mvSJW6eWT9dZTjArnv+V4L0FDwj93hu4G4jC1yr1BeWv2HlsC8fv+Xlz5BU8K+UH8pOltGVfAOZOzR5I6ACfqt1AFlq0t97BX0icTXHacsWDqQtxMyWSw4XfZxyvBrV9CMLfk/TZ+1+YZDnuZPYkPJSy0gygCWpgWd/5uvHXD1crDkN3iFPorbD8AXMjFtIQGRywUxSk4uCDdylxGa6efRXMxnDS+GDjNbMQD7uIc6E1XFH31psYklMVODBTAdLSDbhtmUSW9OUAq+kqiqU41/iKkyS0ETj+853SjDPCqxeYR5fYWcklL8c+CuPcl4Mz9DoHKxIu0RrMFiNi0VnAj/m8YNrR3P/qLPQ2a4zmFIPA4/JSVsbb0fDs2Bt20Wv2lix6S8YEH27vneazFnu5gnethnrzH9+dEJ4iyxDcnUhOfXQd5vTQ4g71zsawjXJDA4q1RnNiz49uqyWs5pzktOpyGD1ZTbZYPdjhXOg7hgC+IJGZ/Qx85ng69dL6hyaPhAmQsDXP/MuyCoSY3azizEN8+nKP2SVFa8yGTRvwVPlwzwuh0qBSJLGT+aFO4oHyv1ke1NKeaPznk8hOqci4riJbRBaESf5r7dfVb3TUU/bsz3IarMY9KAst0zqh0uHQQLACOeiScnqF/QWcOhi5643L7XaVyAJqRvUovnX+MnMnF3PaRAEpjh66HOF402Bh79XfltKwu2iOweYjEj2Z7EaXh9JIhKZRHWYhr/Q9QUhNuk1J9Vwnd2N8TS2vh2W6ZD5Q2bal+eZ8/YzH4s4V1uT9LCVVKK/EMCFZKB/1RwpIN6s6C/ktOHAFKC2pa25FXwJXDi/Tsg3jpuVnIVJmdCbhagBDJL5a+pWIzDy09vbkvw0t4kbdWqnwwlz8wJ6aEKs1HZs9y3Rxe4hCbkxYBvuaFlxHLBU/NWTsBr47Vt9jYHpCg00dtpt2lOkTh5oYDD/ZoJ8+N/j1fDnIPsr8RPGDu/dW4P9P06V2v4JtGuIbR6V82dRrO80UAPDNyycogHYHNL000JVIxTshIfHKQeoBR1wQCO/Zw7TV7hTnVAz8keBXtSH0vL9slP8FIH+CUdVCmImh/8E2IQEz7XqAPf9NfRqx

[qxygene]

it is %1000 secure.

[vicenterusso]

The issue I brought up is not with the encrypted values for the data you are storing (which I believe is what you posted), but the _secure__ls__metadata key that's also stored in localStorage along with that value. You can easily decode that (it's not encrypted, just compressed)

@bozzaj So, just to be clear, changing the meta key name is the only thing we can do, right? I mean, just to make it hard to someone guess the name (only because it's a public and popular library).

What I mean is, we are not 100% secure if somehow the attacker knows the meta key name. Right?

[linkdd]

Changing the meta key name would obfuscate the fact that you're using the library and then it just becomes data sitting in localStorage.

Ignoring the fact that it's fairly simple to fetch all keys from localStorage then try to decode it using the algo you mentioned earlier, to see if there is a key that can be decoded. If there is, you got your metadata without knowing the key name beforehand.

Let's get some fact straight:

STORING SENSITIVE DATA IN LOCALSTORAGE IS NEVER SECURE AND NEVER WILL BE.

[linkdd]

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#local-storage

Also known as Offline Storage, Web Storage. Underlying storage mechanism may vary from one user agent to the next. In other words, any authentication your application requires can be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it's recommended to avoid storing any sensitive information in local storage where authentication would be assumed.

[vicenterusso]

moved on to something that provided (for me) significantly better security, even with localStorage.

Please do share your findings :)

[qxygene]

@bozzaj _secure__ls__metadata key will not be stored in localStorage as "_secure__ls__metadata " unless you change key:TO_SOMETING, You can never decode that because it is encrypted which i posted above.

https://www.devglan.com/online-tools/triple-des-encrypt-decrypt No chance!

The metadata is not always only base64,, you can choose methods as i choose DES. Here is config;

const ls = new SecureLS({ encodingType: 'des', isCompression: false, encryptionSecret: '_my_key', });

For example i use vue, vuex, vuex-persistedstate. With secure-ls everything is secured. Why this is so difficult for you to understand?

[XzaR90]

if the _secure__ls__metadata key is saved in a secure cookie it may be more secure?

[XzaR90]

I forked this and created another version, https://github.com/xzar90/secure-storage but it has less features but the metadata key is stored in a cookie instead and the code is enclosed.

[karelbilek]

You need to figure out what the "secure" is actually secure against/from.

Secure against user tampering? That's basically impossible client-side; if javascript can read it client-side, user can read it client-side.

You can heavily obfuscate it, which is "secure" I guess, but then the javascript itself would need to be obfuscated too. But in the end it's kind of "DRM".

Secure against other websites reading it? Browsers already do this. You cannot have different origins read same localstorage...

So you must define what is the threat model you are protecting against, really.

[jonyedu]

Este paquete utiliza crypto-js: https://github.com/advisories/GHSA-xwcq-pm8m-c4vf