Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.
The problem? If someone has installed a malicious add-on, their web browsing data (e.g. browsing history, password credentials, what they type into a website, etc.) would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.
Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.
Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).
Here is an example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).
Posted in Android, Computers, General, Internet and Servers, Security, Software
Many people use online services to generate secure passwords.
There is this idea that since your web browser is the one generating your passwords locally on your computer (via JavaScript) instead of someone else’s computer (e.g. web server), this is supposed to keep someone from getting a hold of your password.
Is this really the case? Are passwords generated locally with JavaScript really secure from being stolen?
Technically, no. Why? Well there are a few reasons why generated passwords (via JavaScript) can be compromised.
the [Math.Random] JavaScript function – Any JavaScript password generator that uses this function should be considered insecure. This is because the Math.Random function does not provide cryptographically-secure results. It is even possible to predict the output of Math.Random.
This means that someone could potentially generate the same password that you just generated a week before. Not the best for people who want to have secure passwords.
A good, secure alternative JavaScript function to use is window.crypto.getRandomValues(array).
Summary: Using any JavaScript password generator that makes use of the Math.Random function is not wise.
web browser add-ons – Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.
The problem? If someone has installed a malicious add-on, their “secure” JavaScript generated password would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.
Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.
Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).
Update 12/05/2019: Here is another example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).
Summary: Several add-ons have the potential to spy on their users (including locally generated JavaScript passwords).
computer malware – This reason is arguably the most common cause of compromised passwords…malware. Malware has the potential to do anything it can to your computer (including reading your computer’s clipboard – what you copy & paste). This will instantly compromise your JavaScript generated password (and any other sensitive information on your computer, e.g. credit card numbers).
While Windows-based systems have more malware available for them, Mac and Linux are not completely in the clear either. As more people start using these other OSes, more and more malware will be created for them.
Android (the very popular Linux OS used on smartphones all over the world) has a good number of malware created for it.
Summary: Computer malware has the potential to instantly compromise your JavaScript passwords.
surveillance software – Some people have to use computers provided by their employer. Some employers put surveillance software onto their computers to track and monitor their employees’ usage of those systems.
The tracking software will monitor your computer screen, keystrokes, what you browse, install, etc. In other words, any generated password (JavaScript or no) on these computers will be compromised. It is advised to use non-work computers for generating passwords, or anything else that is not work related.
Summary: Assume any work computer is being tracked. Always use your own personal computer for anything non-work related.
So does this mean that I should never use any online password generators at all?
No, but just keep in mind that a JavaScript password generator, while technically a little more safe than having your password generated on a server and sent across the Internet, does not really provide a lot of extra security.
Summary: Using JavaScript (or anything else) to locally generate passwords on your computer, cannot keep your passwords completely safe from being compromised.
Posted in Android, Computers, Internet and Servers, Operating Systems, Programming, Security, Software
This is just a quick blog post reminding Android smart phone users to be watchful of what permissions Android apps claim they require, before installing them from the Google Play store.
For example, if you are going to download a flashlight app, and it wants access to your Wi-Fi, location, and phone identity, I would be suspicious of that app and find another one that requires less permissions.
Of course, the flashlight app will require camera permissions, since it will be turning off and on the camera’s light, but it should not require access to your Wi-Fi (unless it has ads, which can potentially be a privacy issue in itself) or location.
Sometimes apps do require strange permissions because of some unique situation, but in my opinion most of the time these extra “needed” permissions are nothing more than the app’s author spying on you.
Just something to remember the next time you decide to download another app.
Posted in Android, Operating Systems