HubSpot-Developer-Extension icon indicating copy to clipboard operation
HubSpot-Developer-Extension copied to clipboard

Published 20 hours ago verified publisher icon GonzaloTorreras

Find a security flaw, and fix it.

Open TheWebTech opened this issue 7 years ago • 3 comments

This is a Google Chrome Extension, and it's used by hundreds of people we wanted to make sure we keep it as secure as possible. That said none of the core team maintaining this project are security experts, we do the best we can with what we know.

If you can find a security flaw in this extension and can atleast suggest a fix, that would be greatly appreciated! We absolutely will give you credit whenever we list contributors somewhere.

The extension is made using HTML CSS and Javascript. We currently use the jquery library.

TheWebTech avatar Oct 14 '18 15:10 TheWebTech

Installed the extension, couldn't really understand what exactly it does.

codegagan avatar Oct 14 '18 17:10 codegagan

@codegagan the extension is for HubSpot developers(It's a CMS platform)

The extension does a few things. When you click the buttons under the debug tab - all of the buttons except the "google page speed insights" put a query parameter in the URL - on HubSpot sites these parameters trigger certain server side things to happen on those sites.

From a security standpoint those buttons access the chrome tabs api, which means the extension gets access to the URL of the current page.

Other functions of the extension - if you sign into the backend of a hubspot site and have the dark theme and UI/Tweaks dev menu enabled under the develop tab the design-managerjs file is loaded, which injects a menu into the page as well as enables a stylesheet.

The stylesheet applies some minor UI tweaks to the back end and changes the interface from mostly white to a darker color scheme.

From a security standpoint, since it injects code into the page we want to be sure it can't be hacked in some way to change what code is injected. Especially since those pages could have confidential information.

TheWebTech avatar Oct 14 '18 22:10 TheWebTech

Thank you for the explanation. Some generic things I could suggest here to improve security:

  • minify/uglify the js scripts/files. I can read the js currently in installed extension.
  • Any values being read from user or reading from url or from any source where an attacker can intercept should be validated(against what is expected)/sanitized/escaped by using well-known libraries to be safe from XSS type of vulnerabilities(the example you mentioned).
  • Follow https://developer.chrome.com/extensions/security

codegagan avatar Oct 16 '18 06:10 codegagan