I’m creating a Chrome extension to autofill username and password for one specific site, “example.com”. I would like to make EVERYTHING localized to prevent any security concerns. My process is as follows:
- on Options page, user can input username/password, which is saved in
chrome.storage.local - on “example.com”, the extension autofills the username and password with
chrome.storage.local.get(() => ...)
What are the security concerns of this?
What I’ve Considered
I’m concerned about
- Chrome says
storage.localis not safe, but they do not provide reasons. Liability? - Chrome also says
storage.localis unique per chrome extension / site. So the ONLY way for an attacker to steal a password is by hacking me and / or my source code, and pushing malicious changes to my extension, correct? (if there’s any other way it’s a definite no-go) - Ideally, I would have the password / username be encrypted, with e.g. AES-256. But if everything’s local, there’s either one master key (which any attacker could find) or a unique key that’s stored “securely somewhere” in the app, maybe created at install. << but where to store that? If there’s a “secure somewhere” in the app, I should just put the password / username there.
I’d like to do this without a server, however if that’s not possible I’m open to suggestions.