How I defended myself against phishing, and wrote a bike, but my own

    imageIn the days of the “wild” Internet, a lot of spam came to the mail, among them there were a lot of phishing emails. For example: “Look at the new message for you on the link on the vkontate website”; “Add friends on Odnoklassniki website.” Mom and other relatives were led to this. There was no connection to the phone then, I had to restore my accounts all the time, or change passwords. The moment came when I was tired of it and wanted to solve the problem once and for all.
    The idea of ​​a plugin like Web OF Trust came to mind, but there was some suspicion that the red indicator did not stop relatives from entering a password on the left sites. After thinking a little, I came up with another idea, wrote a script and put it in chrome. He told his relatives to use only chrome, do not enter passwords anywhere, if it doesn’t automatically enter, it means the site is fake, go to the desired site through bookmarks. Some did not give out their passwords at all :).

    I wrote extensions - Autologin. The structure includes only 2 files - manifest.json and content.js.

    In manifest, it required access to the sites we needed and prescribed an injected content.js script, its functionality is simple.
    Check url by mask, if appropriate - then check the DOM for the presence of login form elements by selector, if found, then fill in the data and click the submit button.

    Spent a little time to scan the sites mail.ru, vk, Odnoklassniki for the presence of forms, then another hour to register each of their usernames and passwords.
    Then I also got links to the login forms that I missed. Added forms, updated extensions (at that time, Chrome had not yet blocked development extensions and they were unpacked in the documents for everyone).

    I also began to use it myself. Added account selection, if there are a lot of them, it’s convenient (Google didn’t yet have the ability to switch between accounts). Plus, additional protection against trojans - if anyone crawls through, then no one knows about my extension, even though the passwords are in plain text. Browsers can also easily import passwords from each other - this is a bit annoying.
    During the use of the extension, no one else had their account expelled. I secured myself and relatives and returned my peace. Now Google has blocked its own extensions, and it all turned off. But people have become more competent and cautious, and by our time phishing has come to naught.

    That seems to be the end of the story, but the devil pulled me to make a normal user interface for the extension. And all because one friend saw, became interested and asked himself.
    Unfortunately, then he didn’t succeed in delivering it ...
    And what do they say about 20% of efforts and 80% of functionality? So this is all 95 to 5 came out!

    If we release the expansion into the world, then we must bring it to mind.
    A bunch of requirements grew immediately:
    • Data encryption, different ways: for the lazy and for the paranoid;
    • To come up with a data storage structure, 1 account - many sites, many forms;
    • Come up with a system for updating the database of forms. There are a lot of sites, you can’t follow all of them yourself;
    • Synchronization between browsers.

    For encryption, I found the github.com/mdp/gibberish-aes library .
    For lazy people I generate a key, store it in the database and encrypt passwords with it.
    For paranoid, I encrypt the key with a master password.
    For moderate paranoid - I keep the master password in RAM and do not ask anymore.
    By the way, can you tell me how reliable this encryption is?

    To store data github.com/knadh/localStorageDB is something like mongoDb, a wrapper over localstorage, it is convenient to do import export.
    To update the database of forms I use github, when the browser starts, I check the repository for updates, so it will be possible to appoint contributors who will update the database.

    The user interface is written in JqueryUI with plugins. To start using, you need to go to the “Providers” tab - select the provider whose account you want to save and fill out the form.

    The level of encryption is a setting for freeloaders and paranoid. Level 1 and 2 are not available until you turn on “Advanced Security” (you can enable it on the settings tab).

    Advanced security provides additional password encryption.
    Security Level 0 does not provide password security. Account data cannot be viewed in plain text, but the specialist will be able to decrypt them without problems. Passwords are encrypted in the database, the encryption key is also stored in the database.
    Security level 1provides password security under certain conditions: do not leave the browser open after entering the encryption key. The encryption key is requested once and stored in the browser memory.
    Security Level 2 provides the highest possible password security. The encryption key is always requested, it is not stored anywhere and is used only for decryption of the account and subsequent authorization.

    There is also a setting - “use for multiple accounts of one provider”. A modal dialog shades the entire page and shows a list of accounts, the font size is adjusted to show all accounts. The informer icon simply appears in the address bar, and only when clicked on it displays the account selection menu.

    The backup is done by simple serialization of the database in JSON, import, export to file.

    For me, the extension is convenient, I always use it. Sources are on GitHub , maybe someone else will come in handy. I did not dare to upload it to the webstore, they are unlikely to miss it with such functionality.

    Also popular now: