Home/ Questions/Q 8656921
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T15:23:53+00:00

I created a google-chrome-extension which redirects all requests of a javascript-file on a website

  • 0

I created a google-chrome-extension which redirects all requests of a javascript-file on a website to a modified version of this file which is on my harddrive.
It works and I do it simplified like this:

... redirectUrl: chrome.extension.getURL("modified.js")  ...

Modified.js is the same javascript file except that I modified a line in the code.
I changed something that looks like

var message = mytext.value;

to var message = aes.encrypt(mytext.value,"mysecretkey");

My question is now is it possible for the admin of this website where I redirect the javascript-file to modify his webpage that he can obtain “mysecretkey”. (The admin knows how my extension works and which line is modified but doesn’t know the used key)

Thanks in advance

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, the “admin” can read the source code of your code.
    Your method is very insecure. There are two ways to read “mysecretkey”.

    Let’s start with the non-trivial one: Get a reference to the source. Examples, assume that your aes.encrypt method looks like this:

    (function() {
    var aes = {encrypt: function(val, key) {
        if (key.indexOf('whatever')) {/* ... */}
    }};
})();

    Then it can be compromised using:

    (function(indexOf) {
    String.prototype.indexOf = function(term) {
        if (term !== 'known') (new Image).src = '/report.php?t=' + term;
        return indexOf.apply(this, arguments);
    };
})(String.prototype.indexOf);

    Many prototype methods result in possible leaking, as well as arguments.callee. If the “admin” wants to break your code, he’ll surely be able to achieve this.

    The other method is much easier to implement:

    var x = new XMLHttpRequest();
x.open('GET', '/possiblymodified.js');
x.onload = function() {
    console.log(x.responseText); // Full source code here....
};
x.send();

    You could replace the XMLHttpRequest method, but at this point, you’re just playing the cat and mouse game. Whenever you think that you’ve secured your code, the other will find a way to break it (for instance, using the first described method).

    • 0