If Google Play apps have been enabled on your Chromebook, the use and protection of information collected by Google Play or the Android operating system is governed by the Google Play Terms of Service and Google Privacy Policy. Google’s retention policy describes how and why Google retains data. Although this policy describes features that are specific to Chrome, any personal information that is provided to Google or stored in your Google Account will be used and protected in accordance with the Google Privacy Policy, as changed from time to time. If you do everything on the server, then the attacker cannot do much outside the capabilities of your extension, since the server only knows how to make certain types of requests to the page.Learn how to control the information that's collected, stored, and shared when you use the Google Chrome browser on your computer or mobile device, ChromeOS, and when you enable Safe Browsing in Chrome. With a restricted permissions API key, the attacker can only work within the bounds of those perms. All you can do is help restrict the possibilities - with the direct password, and attacker can do all sorts of stuff like change the password. In the end, whatever method you use to secure it, an attacker stealing the data directory will be able to do some damage. This way, an attacker can only work within the bounds of what your extension can do. Otherwise, store the password on your server, and have the server do everything - just use your extension for communicating with the server and displaying the result.
Most OAuth-enabled sites only give limited permissions via OAuth. Many sites (like Twitter) support OAuth, that's another thing you can try.
Of course, if the data directory is stolen, then the attacker has access to these permissions. For example, you can have your extension request partial permissions to the Google account. Instead, I suggest you see if the service has an authorization API. All an attacker has to do is copy over the user data directory ( ~/.config/google-chrome on Linux somewhere in AppData on Windows), start Chrome on their own pc with the -user-data-dir flag set to the copied directory, and use the app - the stored credentials will be used to login to whatever site you're using (and they can be easily sniffed via the developer tools). Even if the database ( localStorage/whatever) is encrypted. Anyone with read access to your computer can get access to the password.
0 kommentar(er)
