Dylan Vassallo 😁

Vetting a Chrome Extension

January 19, 2013

There’s a Chrome extension out there called UCLA Automated Login that promises to enable autofill for the Single Sign-On system provided by UCLA for the users of its web applications. The SSO system is fairly aggressive about expiring sessions, so I’m not surprised that this extension has hundreds of users. Before installing it, though, I took the time to inspect its source code and found enough security issues that I refuse to use this extension and can’t recommend it to anyone else. Here’s what I found.

UCLA Automated Login

The extension works by watching for the standard “UCLA Logon” page, filling in your saved username and password, and submitting the form. Someone made this extension because the input elements on the logon page contain the attribute autocomplete="off", disabling the standard autofill mechanisms provided by most browsers (ostensibly to avoid storing this information on a shared computer). Chrome for Mac OS X stores autofill data in the Mac OS X keychain, the system-wide mechanism for storing passwords and other private data. A simple Chrome extension, which is basically a package of HTML, CSS, JavaScript, and other resources, can’t really compete with the keychain security-wise. If I were to write an extension like this, I would simply try removing the autocomplete="off" attribute on the form to enable Chrome Autofill instead of half-assedly emulating it myself.

The first major transgression comes from a misuse of UCLA branding to give the impression that this extension is somehow sanctioned by the university. The extension’s logo is the UCLA logo–a clear trademark violation. And the UI for saving your credentials in the extension closely mimics the standard UCLA Logon page. I’ll give the developer the benefit of the doubt and assume they did this to provide a more consistent user experience, but it could be misleading to some users.

The extension developer does make a good-faith effort to keep your login credentials secure. Your username and password are kept in LocalStorage after being encrypted by the Stanford JavaScript Crypto Library. There are worse ways to store passwords; at least LocalStorage is restricted by the same origin policy (the origin here being chrome-extension://<extension id>). But–and this is a big but–the key used to encrypt your password is right there in the extension source. It’s “javascript”, and was trivial to find by unpacking the extension.

UCLA Automated Login source

Finally–and here’s where it gets really scary–like all Chrome extensions, the developer can automatically push out an updated version to all its users. What’s to stop him from quietly changing his extension to report all usernames and passwords to a remote server? The extension would have to ask for additional permissions to make the cross-domain request, but that’s not something that will cause suspicion for most users. Students use these credentials to add and drop classes, declare majors, pay tuition, administer financial aid, submit homework assignments, apply for jobs, and much more. You really don’t want those capabilities falling into the wrong hands.

To recap: the “UCLA Automated Login” extension co-opts the university’s visual identity, stores your password in an easily decryptable form using a feature that isn’t meant to store sensitive data, and could be silently updated at any time to transmit your credentials to a remote server. Oops.