简单的自动填充书签的安全含义
在工作中,我经常需要登录到不同的内部门户,进行人力资源,旅行预订等。每个门户都有一组不同的登录详细信息。
浏览器扩展程序被阻止,这意味着我不能使用PW管理器,因此我没有重复使用详细信息或不安全地写下它们,而是写了一个非常简单的书签,可以在每个门户网站上自动填充我的详细信息。它通过单个硬编码的JS对象来工作,该对象将我所有的用户名和密码存储在每个门户的域名(总计约六个)。运行书签将检查当前站点以进行域匹配,然后如果找到了匹配项。
从功能上讲,它可以很好地工作,但我担心我可能会忽略安全含义,尤其是当我以纯文本存储密码在书签中,然后将其注入页面中。我的具体问题:
- 假设我没有任何书签云同步打开,我是否需要担心对书签的物理访问?没有其他人使用我的笔记本电脑,但也许有人可以在自己的Windows帐户上登录并访问我的用户数据?
- 每次我运行书签时,它都会将整个脚本注入页面,其中包含JS对象存储 ash all 密码。网页所有者可以以某种方式捕获它并将其发送回服务器吗?这取决于我的书签是全球还是本地范围的?
- 有更好的方法吗?我考虑过将登录详细信息存储在文本文件中,书签将打开和读取,但这需要浏览“打开”对话框,这是非常漫长的。有什么想法吗?
编辑:消毒的书签代码(Square Brackets中的注释):
javascript: (() => {
Object.entries(
{
"[document.title]": {
"[username input element ID]": "[username]",
"[password input element ID]": "[password]",
}, //[Other entries...]
}[document.title]
).forEach(([k, v]) => (document.getElementById(k).value = v));
})();
At work I often need to log in to different internal portals, for HR, travel booking and so on. Each portal has a different set of login details.
Browser extensions are blocked, meaning I cannot use a pw manager, so rather than reuse details or insecurely write them down, I wrote a very simple bookmarklet to autofill my details on each portal. It works via a single hardcoded js object that stores all my username and passwords against the domain name of each portal (about half a dozen in total). Running the bookmarklet checks the current site for a domain match and then autofills if a match is found.
Functionally it works brilliantly but I'm worried that I might be overlooking the security implications, especially as I am storing my passwords in plaintext in the bookmarklet, which is then injected into the page. My specific questions:
- Assuming I don't have any bookmark cloud syncing turned on, do I need to be worried about physical access to the bookmarklet? No-one else uses my laptop but perhaps someone could log in on their own Windows account and access my user data?
- Each time I run the bookmarklet it injects the whole script onto the page, which contains the js object storing all the passwords. Can the webpage owner somehow capture this and send it back to the server? Would this depend on whether my bookmarklet is globally or locally scoped?
- Is there a better approach to this? I considered storing login details in a text file which the bookmarklet will open and read but this requires going through the File open dialog which is quite long-winded. Any ideas?
Edit: Sanitised bookmarklet code (annotations in square brackets):
javascript: (() => {
Object.entries(
{
"[document.title]": {
"[username input element ID]": "[username]",
"[password input element ID]": "[password]",
}, //[Other entries...]
}[document.title]
).forEach(([k, v]) => (document.getElementById(k).value = v));
})();
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这是一个微不足道的例子,即模仿另一个网站,窃取了该网站的凭据:
我可以想到其他多种利用您发布的代码行的方法。原始代码可能包含更多的攻击向量。
因此,如本示例所示,不要滚动自己的安全软件。如果您的公司没有为您提供安全存储密码的方法,那是您的公司错误,您的IT部门应紧急解决该密码。
Here's a trivial example that mimics being another website, stealing your credentials for that site:
I can think of multiple other ways to exploit the few lines of code you posted. The original code will likely contain even more attack vectors.
So, as this example shows, do not roll your own security software. If your company does not provide a way for you to store passwords securely, it's your companies fault and your IT department should urgently fix that.