-
-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How secure is it really? #36
Comments
I was thinking the same...how is it? |
From what I understand, the key used to perform the encryption is encrypted with a It seems we can't override the value of this key, so IMHO it is not secure at all. |
It's not secure at all. The keys are right there, in the localstorage. Please, don't use this project for anything. It is dangerous. I tried to raise an issue because this project is irresponsible with their use of "secure" in marketing it, but they deleted the issue without even commenting. |
I dont agree with you.
Try before commenting. |
Do we have a consensus on this matter? Is this really secure? I'd like to see some demo POC |
Try to read this data; U2FsdGVkX1+90T12L1muE9LFKA9Q3oAaIq6KOLvv1A33JZ8udhFsURiCqVS0JaqrIQ5AWVis+JlN/TWWz3okf0Hl1Id3X728jzMlMKKvJWjlF/wjEWKQlGsV791FMLomS09Yoi2sko8ohF+VPpy+LglqxRIUqTvOua8iLJLngcTRMIib1gY4UZ0sGrcJqNiyoQNWxW5j5pn5nze5EpTwbZgwnvK4vOxzpv00CqfxtILsJfEM4oGSJ6zGb5Vk5iuPlRoOMYqMWp9lcicgN98xb4jNnTsgKWf/G71p4SlCFePlrkra4svgujbNKMstOA06Hi6fvipyHps2rPJQ763jdbYTuy3f5Yv1U7ri0RS5DNOKPOqr0p8xmg8PCDJa70XgWIUKLeW6aDZpSg73YonmRw0MX6cKPtAZ50h69K1G6wXq0I8YfWTmsxQt8siVshTvDQxKr6n/CWR6pfcjPokLinrpjKifmCSCihDfKMf3DISjKbUk+Cn9jK0dZjemHkb0sZUhzojWjSyWKy2w3vSxG0uIKqmy2Ihbm8fu1BEpnKwgXbz0Fh05lhJEy+4VBpsTgN795fagbCHrMGEXzv59TsdtmG+TACkkziPslXgZKP0VyTnapXZD24tLpt8qmmkNWa2lD09LhNUXfMGCe1L1OD02TyylCPz9ikpOOw+ONWfgJPs/F5QJ/V5w10e8qUTcooGNnMV7Syjar9+W1tGfL9/Z+3WNrkRCgKGR5KIh52x3r/EMSDGiliHIzIAZIp7RTuWzZ0CgmwfVKc+o3M8xg4pJYxH1HVd/Wk59cH0mEvmHC84yq5D54sSNN9f7eYbQ2ICch15juLeYqc8zRUgEDzzVXEHkdhlQ+sT+eryj71Aqpu/yVYP/Xz+JU9vAFcumTwTVFgb9syC/VqDkQieP2b8ehhYiN7al/ZKITEQKvTLXP8iLoaxwUmc+V1zPloQ2L/FDhczGDKwRslzr8xEWFWDizNKVskua2B2VZZcBsGrV+/bpjc27JFCSTkYr3tDVfJLmc9d4NmcniUOQWNcroVixG/3+Wadh+NnCrIBNiCegPOm2lziSMt7a2dklHaZqLV3daYbtRpGTvQXvKKsEk57hA/w80lqLwwbJawwxA0wxZ5+yqp2cvYCmDF6eRxYa+N/ajPWRhYUbTTF2nrbeOQhUETmzwFhkJzB5OmsxFZ+82Lh0kHHVaErDMJnBjG+4TdF9tTck2MsRFqXKOAxzZAkZjf04/CAP2Irb5oTEMpXzVupS+H735pApM6UGN8CLEJRDDQXld4XJUUBP1ormbCATtGgqB04SJFb2BIU6bfyHm6ntGYcuZd9YAfa3lquJ7ucsb3ErBeMAqgal0M4z9KbC5hAhV/8TXfmNLx4jT0p/MkqPaYBOK28bDc3qy8+mJdCyW9p3/QZg4ydtJGGGYI73F8hLNCzqGhODOeVwobgd7APUa+88IdQBAY0BLAk9ekNpRwTMH0/fwPXmPxv5N97628mSRXvm1PeTeamirsmMP9AKTJHbaq5qHNM2ufQ8CmGgAgYuTBBalQ8+xe/emce9RLE9hut1BT1ijekRJa6sNYWcV9kBjCjUw6VN7YlCT5Rd3R1juLJBVLVyI/JQIrltzI2HYdjUdphFK1OKkvdjw2/51N7IIg+hWy1ud1WVdrfCnRPjIByc+0Kl3O3yreRgPWH4VzTjiQAQP3fDwk/OzXeylKVJVAn/cg6Sy/Bl0vafW74t4Ab4OleE+CR8oW1COVROIG0XjKiKYw2zrEzjjjyhkBK2jnpZVvQUjX6Gf4a8UM8zKYvwNCxaDZZnbGFIjTUEsgehnR3VV14C8zAILV62XyRrD+A3IAPqDdelmEwLLoQ96vUxVbQlplcuGRvm/ge32FHMP8w3gzrICNV09zrqCQfpshgY6ZJgtZCb3z8fMgQ4ukxAI77TkfpwrqMvi/St9O5n1omaKQPNvbFnrW8x96alg4BAeloOD7Yy4RWXcjd4IpEulvlBpG3Qe09NcuVInYHbk4nqTcViPuTSnwMBd8brzHswS6WnRXfX1aoNpepg6sq3L7KH6z/AtUgGPBjofs8MExaaLCXTwZXtVed1FBb7uCFFgJ8HKV7yaOvpU7BlfybiaqzIUioqZrF4d8G0pbsz7WQ8bLfvswEC97ftpsgAPsDtDpe2kmiabUgKDW1RAaMEXzmguH5HEK8CcevBweyvzLsAcVv5j5jpVwjq01/V0e6wAN3IZ4933H9Vm0+u1/t4dHGp97FN111nbXkWEwvTIfVr8+4SUP8pBM06U3Ao38KA3jTHHdoHRHcfovISK/fWN44C1CWiF+kL6n9lj6Yrvfbd0GU1O+pd+hiRTgeXMywyq941KAe5GdFBtdMnctoZy6DXibcgmLWE9WASjykb8GourVGdZNPX5HO/cfPWK8/ZhulalZbvG1m3pv5mOV8tR+wLz8aekvEFTET8AhhwuoMRo+aFrWEhiFU++XUKRVnw3aiu0s9VIxgEz2ytBoPaUr4uvDea9SaiIfle3ng5bCA1SB8jO85WLCwYFTnll1RCnjG597bMz+XpY2GqkY+GPne5kIY4xDurtp4K9sTY192KbFkv43/luY9vx6wQx75ctO/o+kKDUPzZOhUhfIre7g4HWPsIz0f9gjGdhdB4WzLxjLeWETRGh752TpvLfMAJCdCFTRKTp1JW+Ctm8rXCaObQzDd9GjFTrvhyG8Q5+4xPs45mNwdrNegisoJWkBAJxb7ol/xdMBUhvqeVd/yufl/qPcf1XtR+sDXr56+IHcf4jVRmW/YfzlDF9K/2dM2qr8S4BP8kcKoGLmZStCnAV5LU5hqp4qmTCY7vdQQb5QNdJNPsJ5HX2rQ7xDR/5QDKIsQAjTBjJigqDr3oo1kgcLbOUIYGQB8RcXufN+37nJbb6mM0POzVqvlc7yHKkXZd6qWX275UsPf/oudVtOhFc7GrwvmU5uvFpLsTgvQeLydxpJgaNPVpNKE1vNJzWs+wuZN7gx2+NMsItbHYqucSIL16fUPndxu+6CRWWBeMabUI00HCOcBPI49SJFQT6RQ1sIuQrlSC2m1ZKvNg6tp+Q1f8TJ9ZdrljQcL+DHrowCDlPKTCHM0HopiIBOlF6Thrc7JQb1LykWJH4kAdaa4Oktmx8oyTBwg3V7nS8iCoCUoInqwnvn8INRqhXVhO3oeex9L/bVL9sp+UaHulv5Xx9lK2DZNctx+8g3AI1LwHsIsXnYLZirUbqmyiRlCUPJoNUcvAoHdov5ZnMTjZrEyVaSkEVPaeRALkiKpoJeb2McLkvs3wE3XB/pZgVpoZR9lFpVqUiDN2TkhyrhSHz5NDdVBnBg6LSaJpE2nL1s4ww0RExKpVnDO7eSua1ZGW29Za+v8Xb2tQaUAbCsibcNDkYj9D7YfpNGvs26LwMvHT5BykK62GBJMl+5IBg87t+npzkDc69GutMnFQdStFClaAvYPtKJPcy/9lwkfLM0XChApv+HnXfqBZM0byK1ulRPa1RTYpEXeoU223PNmQJpUYXDsCyVuJ6cxm8CThoPmmxgwLA7kvFJBx+T0/Tz9t/x1aKRkHMJB/0HB2mvSJW6eWT9dZTjArnv+V4L0FDwj93hu4G4jC1yr1BeWv2HlsC8fv+Xlz5BU8K+UH8pOltGVfAOZOzR5I6ACfqt1AFlq0t97BX0icTXHacsWDqQtxMyWSw4XfZxyvBrV9CMLfk/TZ+1+YZDnuZPYkPJSy0gygCWpgWd/5uvHXD1crDkN3iFPorbD8AXMjFtIQGRywUxSk4uCDdylxGa6efRXMxnDS+GDjNbMQD7uIc6E1XFH31psYklMVODBTAdLSDbhtmUSW9OUAq+kqiqU41/iKkyS0ETj+853SjDPCqxeYR5fYWcklL8c+CuPcl4Mz9DoHKxIu0RrMFiNi0VnAj/m8YNrR3P/qLPQ2a4zmFIPA4/JSVsbb0fDs2Bt20Wv2lix6S8YEH27vneazFnu5gnethnrzH9+dEJ4iyxDcnUhOfXQd5vTQ4g71zsawjXJDA4q1RnNiz49uqyWs5pzktOpyGD1ZTbZYPdjhXOg7hgC+IJGZ/Qx85ng69dL6hyaPhAmQsDXP/MuyCoSY3azizEN8+nKP2SVFa8yGTRvwVPlwzwuh0qBSJLGT+aFO4oHyv1ke1NKeaPznk8hOqci4riJbRBaESf5r7dfVb3TUU/bsz3IarMY9KAst0zqh0uHQQLACOeiScnqF/QWcOhi5643L7XaVyAJqRvUovnX+MnMnF3PaRAEpjh66HOF402Bh79XfltKwu2iOweYjEj2Z7EaXh9JIhKZRHWYhr/Q9QUhNuk1J9Vwnd2N8TS2vh2W6ZD5Q2bal+eZ8/YzH4s4V1uT9LCVVKK/EMCFZKB/1RwpIN6s6C/ktOHAFKC2pa25FXwJXDi/Tsg3jpuVnIVJmdCbhagBDJL5a+pWIzDy09vbkvw0t4kbdWqnwwlz8wJ6aEKs1HZs9y3Rxe4hCbkxYBvuaFlxHLBU/NWTsBr47Vt9jYHpCg00dtpt2lOkTh5oYDD/ZoJ8+N/j1fDnIPsr8RPGDu/dW4P9P06V2v4JtGuIbR6V82dRrO80UAPDNyycogHYHNL000JVIxTshIfHKQeoBR1wQCO/Zw7TV7hTnVAz8keBXtSH0vL9slP8FIH+CUdVCmImh/8E2IQEz7XqAPf9NfRqx |
it is %1000 secure. |
@bozzaj So, just to be clear, changing the meta key name is the only thing we can do, right? I mean, just to make it hard to someone guess the name (only because it's a public and popular library). What I mean is, we are not 100% secure if somehow the attacker knows the meta key name. Right? |
Ignoring the fact that it's fairly simple to fetch all keys from localStorage then try to decode it using the algo you mentioned earlier, to see if there is a key that can be decoded. If there is, you got your metadata without knowing the key name beforehand. Let's get some fact straight: STORING SENSITIVE DATA IN LOCALSTORAGE IS NEVER SECURE AND NEVER WILL BE. |
|
Please do share your findings :) |
@bozzaj _secure__ls__metadata key will not be stored in localStorage as "_secure__ls__metadata " unless you change key:TO_SOMETING, You can never decode that because it is encrypted which i posted above. https://www.devglan.com/online-tools/triple-des-encrypt-decrypt No chance! The metadata is not always only base64,, you can choose methods as i choose DES. Here is config; const ls = new SecureLS({ For example i use vue, vuex, vuex-persistedstate. With secure-ls everything is secured. Why this is so difficult for you to understand? |
if the _secure__ls__metadata key is saved in a secure cookie it may be more secure? |
I forked this and created another version, https://github.com/xzar90/secure-storage but it has less features but the metadata key is stored in a cookie instead and the code is enclosed. |
You need to figure out what the "secure" is actually secure against/from. Secure against user tampering? That's basically impossible client-side; if javascript can read it client-side, user can read it client-side. You can heavily obfuscate it, which is "secure" I guess, but then the javascript itself would need to be obfuscated too. But in the end it's kind of "DRM". Secure against other websites reading it? Browsers already do this. You cannot have different origins read same localstorage... So you must define what is the threat model you are protecting against, really. |
Este paquete utiliza crypto-js: |
Absolutely agree with Karel. It's straightforward for anyone familiar with basic browser tools to capture the encryption key client side.
All of the use cases I've seen this applied for are not achieving any security what so ever. For example, I've seen it used to try and prevent user's from tampering with local tokens and client-side user attributes in single-page-applications, and I've had to demonstrate to coworkers that the user can capture the encryption key, decrypt, modify, re-encrypt the data client-side. |
Heya, i'm sorry if this is a stupid question, i'm no security expert.
but if everything has to be two-way, then the secret has to be accessible for every attacker... right?
so is it really just obfuscating the data, or is there a real encryption at work here, which is hard (or virtually impossible?) to break?
would someone explain it to me?
thanks :)
The text was updated successfully, but these errors were encountered: