floccus icon indicating copy to clipboard operation
floccus copied to clipboard
verified publisher icon floccusaddon

do not store profile passwords in clear text

Open josephtingiris opened this issue 11 months ago • 5 comments

Describe the feature you'd like to request

Today I noticed that the chrome (and chromium) extensions (on linux) are storing the (webdav) passwords in clear text in both the *.log and *.ldb files, i.e.

/home/jtingiris/.config/google-chrome/Floccus Profile/Local Extension Settings/fnaicdffflnofjppbagibeoednhnbjhg/000144.log
/home/jtingiris/.config/google-chrome/Floccus Profile/Local Extension Settings/fnaicdffflnofjppbagibeoednhnbjhg/000146.ldb
/home/jtingiris/.config/chromium/Default/Local Extension Settings/fnaicdffflnofjppbagibeoednhnbjhg/000302.log
/home/jtingiris/.config/chromium/Default/Local Extension Settings/fnaicdffflnofjppbagibeoednhnbjhg/000304.ldb

stores its json ..

{
  "17438009688830.4750445422309294": {
    "type": "webdav",
    "url": "https://my.dav.server/blah",
    "username": "jtingiris",
    "password": "THIS_PASSWORD_IS_TOO_EASY_TO_READ",
    "bookmark_file": "bookmarks.xbel",
    "bookmark_file_type": "xbel",
    "includeCredentials": false,
    "allowRedirects": false,
    "passphrase": "",
    "allowNetwork": false,
    "enabled": true,
    "label": "bookmarks",
    "localRoot": "0",
    "syncInterval": 15,
    "strategy": "default",
    "nestedSync": true,
    "syncing": false,
    "scheduled": false,
    "error": null,
    "errorCount": 0,
    "lastSync": 1743942607529,
    "failsafe": true,
    "clickCountEnabled": false
  }
}

and those files can be easily read by anyone with access to that home directory.

My main concern is on multi-user systems, particularly those in which more than one person has admin/root access.

Describe the solution you'd like

Chrome, Firefox, and Safari all offer built-in password storage features, e.g. the Chrome Credential Management API. Or, prompt for the password every time the browser is started. At the very least, come up with your own reversible hash or something. Don't put the full json in the logs. I realize this can be a difficult feature to implement properly but it doesn't have to be SO easy.

example:

    // Request credentials from the user
    chrome.identity.get(function(credential) {
      if (credential) {
        // Credentials retrieved successfully
        var username = credential.username;
        var password = credential.password;
        // Use the credentials
      } else {
        // Handle the case where credentials are not available
      }
    });

Describe alternatives you've considered

Go back to the default edge, chrome, or firefox sync methods which do not store clear text credentials on the filesystem.

josephtingiris avatar Apr 06 '25 14:04 josephtingiris

Hello :wave:

Thank you for taking the time to open this issue with floccus. I know it's frustrating when software causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at and if possible solved. Let me give you a short introduction on what to expect from this issue tracker to avoid misunderstandings. I'm Marcel. I created floccus a few years ago, and have been maintaining it since. I currently work for Nextcloud which leaves me with less time for side projects like this one than I used to have. I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it. Until then, please be patient. It helps when you stick around to answer follow up questions I may have, as very few bugs can be fixed directly from the first bug report, without any interaction. If information is missing in your bug report and the issue cannot be solved without it, I will have to close the issue after a while. Note also that GitHub in general is a place where people meet to make software better together. Nobody here is under any obligation to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can collaborate to make this software better. For everyone. Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and try to fix the odd bug yourself. Everyone will be thankful for extra helping hands! If you cannot lend a helping hand, to continue the development and maintenance of this project in a sustainable way, I ask that you donate to the project when opening an issue (or at least once your issue is solved), if you're not a donor already. You can find donation options at https://floccus.org/donate/. Thank you!

One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the Nextcloud forum, to twitter or somewhere else. But this is a technical issue tracker, so please make sure to focus on the tech and keep your opinions to yourself.

Thank you for reading through this primer. I look forward to working with you on this issue! Cheers :blue_heart:

github-actions[bot] avatar Apr 06 '25 14:04 github-actions[bot]

Hello @josephtingiris Thank you for your feedback, I appreciate it! Unfortunately the password storage facilities you are talking about are not available for web extensions to my knowledge. Floccus used to have an unlock passphrase, but that became obsolete with the advent of Manifest v3 as there is no long running browser context anymore that can hold the passphrase in memory. Additionally, I am of the opinion that if an attacker can read your files they can also read what you type into a passphrase input box. I'm open to being proven wrong, but currently I see no better way than to just use the browser extension storage.

marcelklehr avatar Apr 06 '25 14:04 marcelklehr

Security is a feeling. I'd feel a little better knowing it was obfuscated with base64 than in the clear. Yes I realize that's not encrypted, but it is one extra step someone has to take. The same principles of security apply with regard to signs advertising a home is protected by an alarm company. Bad actors will often move on to an easier target

I know this isn't an easy problem to 'solve' but it can be made better.

What about an unlock passphrase using Manifest v3 storage.session ?

Maybe something like this and encrypting browser.storage.local would be even better?

josephtingiris avatar Apr 06 '25 23:04 josephtingiris

I'd feel a little better knowing it was obfuscated with base64 than in the clear.

This is actually the worst thing to do as people might think it is encrypted and share the whole JSON where if it were plaintext they would blank it out as you did.

kgraefe avatar Jul 14 '25 08:07 kgraefe

@josephtingiris If you're open to using Firefox, then you can have your (local) Firefox profile protected with a "master password". That is different to/separate from Firefox sync password/account (and you can choose to use both, one of them, or none of them - they are independent).

Unfortunately, Chrome/Chromium doesn't have/support "master password".

You may consider Firefox also for other security reasons, for example that Chrome now automatically disables and doesn't allow new installations of uBlock origin...

peter-lyons-kehl avatar Jul 15 '25 19:07 peter-lyons-kehl