Kaspersky password manager safe1/23/2024 Instead, the browser extension serializes the page back to HTML (with some additional attributes, e.g. But why rely on it? Analyzing page structure to recognize login forms would have been too easy in the browser. After all, the browser already has a perfectly capable HTML parser. While the JSON parser is required by the native messaging protocol, you are probably wondering what the other two chunks are doing in the executable. But I managed to identify large chunks of custom-written code that can be triggered by websites more or less directly: Now I’m pretty bad at reverse engineering binary code. Because, if this communication channel weren’t open to websites, how could the developers possibly prove that they are capable of securing their application? While seemingly pointless, this approach has a crucial advantage: it allows websites to mess with the communication and essentially make calls into the password manager’s executable. As in: code running in the same scope (content script) uses events instead of direct calls. The extension uses website events to communicate with itself. And that executable is what contains most of the logic in case of the Kaspersky Password Manager, with the browser extension being merely a dumb shell. How they managed to do it? Browser extensions have that escape hatch called native messaging which allows connecting to an executable running on the user’s system. No memory safety, dealing with buffer overflows is up to the developers. No stupid sandboxing, code is running with the privileges of the logged in user. Kaspersky developers don’t like JavaScript, so they hand over control to their beloved C++ code as soon as possible. You know how browser extensions are rather tough to exploit, with all that sandboxed JavaScript and restrictive default content security policy? Clearly, all that is meant for weaklings who don’t know how to write secure code, not the pros working at Kaspersky. Kaspersky Password Manager manages to stand out in the crowd however, the approach taken here is rather unique. I looked at a number of password manager browser extensions already, and most of them have some obvious issues.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |