When we add chrome extensions in the browser (eg. for dark mode or blocking ads) it asks for few permissions. Specific example, I am concerned with is about DARK READER extension.
Link : https://chrome.google.com/webstore/detail/dark-reader/eimadpbcbfnmbkopoojfekhnkhdbieeh?hl=en-US
Now this kind of extension asks for permission as follows:
I want to know if I give this permission, can this extension read passwords which I type?
What security threats does it pose and how to safeguard myself from them?
I have read that I should use incognito mode. Please someone elaborate.
Related
I'm building a website using simple passwords like 'abc123'. Chrome pops up this message everytime I log in my website and is very annoying. I can't find ways to turn it off. All solutions I searched are about removing passwords settings.
Please let me know any ways to turn this pop up off. Thank you.
The duplicate target I linked (Can I disable Chrome password check only for localhost?) only covers removing type="password" from your input elements.
As a more extreme measure, this Google support thread proposes disabling the feature browser-wide. You should consider whether this is a good solution for your other browsing habits before turning it off to improve the development experience.
To turn off this feature:
Go to Chrome settings and go to Sync and Google services.
Turn off Warn you if passwords are exposed in a data breach.
I'm using Chrome policy settings to restrict access in a user's browser. Among the policies in place are policies that should prevent deleting history, and also prevent using incognito mode. On Windows machine, these policies are set like this, if in a .reg file:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"IncognitoModeAvailability"=dword:00000001
"AllowDeletingBrowserHistory"=dword:00000000
When tested on a machine that has these policies, it does indeed appear that the users of the machine are unable to use incognito mode, nor delete browser history. But inspecting the browser history shows large gaps of time without any activity, which is contrast to other logging I have in place. The user's login does not have have administrative rights (they login as a standard user), so they shouldn't be able to alter the group policy settings. And indeed when I inspect the machine after the fact, the policies do appear to be active. My question is, is there any way to bypass these groups policy settings such that either incognito mode may be used, or else browser history is deleted? Without administrative privileges (so that policies can be changed), I can't imagine how it would be done, but I'm convinced it is.
I've got a fairly popular chrome extension, over time I've got sporadic reports from users that this extension is malware, which of course it is not.
I've recently learned that there are malware programs who change the files of the chrome extension and make turn it into a malware.
Is there any way I can defend my extension from this kind of changes?
Thanks.
You don't have to!
Chrome has a built-in mechanism preventing it. Any extension installed from Web Store will have a signed hash of all files included.
At any time when Chrome loads an extension, those hashes are checked, and if any file is modified Chrome marks the extension as potentially compromised, disables it and warns the user of unauthorized changes.
That said, this only protects static files you have in your extension.
If you rely on external scripts, it's your duty to protect them from man-in-the-middle attacks. Chrome's default extension CSP does a good job of securing against the worst offenders, but still - if you use dynamic code, it's your responsibility to secure it, especially if you override the CSP.
Finally, if you're using a Native Host module, it's not secured. Treat it as untrusted.
Is there a command line option where I could launch chrome with the developer tools disabled? The scenario is this - I want to have an extension that will autofill info into forms, but if the form has a password field that the user shouldn't have, by opening up the dev tools and playing in the console it would be easy to discover, which is something I've been asked to prevent - is this possible?
Not possible. There is no such flag in Chrome.
From a security point, passwords should never be filled in by anybody other then the user himself.
The client should never-ever receive sensitive data that the user is not proven to be authorized to have.
And no, you cannot affect client-side applications. Chrome is not the only browser that has inspection tools.
I need to capture image from web page without security warning.
Page where i need webcam functionality can not be switched to https protocol.
I've installed root certificates and made them trusted.
I tried to insert iframe (which pointed to secure protocol https://mysecurepage.com) inside page (http://mypage.com), but not worked.
#bjelli is correct - this is a major security flaw for any internet content. Just imagine if you could go to a website which would start taking photos/recording everything going on without any permissions or notifications!
However, I am working on an intranet project where disabling the prompt would be quite safe.
If you are in this sort of position - there is one thing you can do;
Google Chrome Policies
If you are deploying the browser, you can override the security prompt for sites you specify. I don't know if you are working in such an environment, but this is the only way you can avoid the prompt all together. Similar things probably would apply for other browsers too.
As defined in http://www.w3.org/TR/mediacapture-streams/
When the getUserMedia() method is called, the user agent MUST run the following
steps:
[9 steps omitted]
Prompt the user in a user agent specific manner for permission to provide the
entry script's origin with a MediaStream object representing a media stream.
[...]
If the user grants permission to use local recording devices, user agents are
encouraged to include a prominent indicator that the devices are "hot" (i.e. an
"on-air" or "recording" indicator).
If the user denies permission, jump to the step labeled failure below. If the
user never responds, this algorithm stalls on this step.
If a browser does not behave as described here it is a serious security problem. If you find a way of making a browser skip the "permission" you have found a security problem.
What do you do if you find a security problem?
Report it IMMEDIATELY! Wikipedia: Vulnerability Disclosure
Firefox: http://www.mozilla.org/security/#For_Developers
Internet Explorer: http://technet.microsoft.com/en-us/security/ff852094.aspx
Safari: https://ssl.apple.com/support/security/
Chrome: http://www.google.com/about/appsecurity/
Opera: http://www.opera.com/security/policy
This is not just a question of technical possibilities, it's also a question of
professional ethics: what kind of job would I not take on? should I be
loyal to my customer or should I think of the welfare of the public? when do I
just follow orders, when do I stop bad stuff from happening, when do I blow the whistle?
Here are some starting points for computing professionals to think about the ethics of their work:
http://www.acm.org/about/se-code
http://www.acm.org/about/code-of-ethics
http://www.ieee.org/about/corporate/governance/p7-8.html
http://www.gi.de/?id=120