A Deep Dive into Web Extension Security
A few months back we shared some insights about the security of our web extension and explained our approach to security on the web platform. In this article, we'd like to go one step deeper and help clarify that our web-first experience is much more than a web app, and highlight a few risk scenarios we evaluate when building for our new web-first experience.
Web app vs. extension
Let's start with a refresher!
- A browser extension, on the other hand, is an application you install in your browser of choice, like Chrome, Firefox, or Edge. Browser extensions are very similar to native apps, as they run locally and do not require to access a server to run. You can see that you are running the extension if the URL looks like chrome-extension://fdjamakpfbbddfjaooikfcpapjohcfmg/credentials.
You should install the Dashlane web extension to benefit from the full Dashlane experience: autofill, popup cards for password generation, secure vault, etc.
It is both the most convenient and most secure way to use Dashlane on a desktop or laptop computer.
Now let's review why and how we assess potential risk attacks.
A risk level of zero does not exist, which is why it is important for companies like Dashlane to evaluate threats and attack scenarios continuously.
1. Tampering with the code
In addition to powering our autofill experience, the extension is a core component of our web-first experience because it provides an additional layer of security. Thanks to the extension, we have the guarantee that the code the customer is using is legitimate and has not been tampered with by malicious actors. As part of our development cycle, we sign the extension before submitting it to the browser store to confirm Dashlane is the publisher. Any update is enforced through the browser update mechanism, and we benefit from the review and approval process from store providers, creating an added layer of security for our customers. This ensures integrity and proof of origin of the Dashlane extension and avoids hackers hijacking the connection and taking actions such as displaying an alternative or fake version of the web app.
2. Stealing the memory (stored data)
The extension runs in an isolated environment called a sandbox. In computing, a sandbox is a security mechanism so a program can run without interacting with anything else happening on a device. So in this case, no other website or extension is able to access your Dashlane data. But keep in mind that if someone gains access to your physical device and can log into your operating system, they would still be able to access everything on the device. (This is true of all security products; there's nothing anyone can do if you leave your front door unlocked!) We recommend you secure your device with a password and biometrics. You can also activate biometrics to secure access to the Dashlane extension.
3. Tricking the autofill engine in your browser
This phishing attack occurs when a person is tricked into entering information into an online form on an untrustworthy website, and their autofill tool (your browser or password manager) ends up entering more information than it should. It is important to know that Dashlane never autofills on a website if the URL in your credential is different than the website URL. Additionally, as an added layer of security, we default to always ask you to enter your Master Password before autofilling payment information. We work continuously on improving the protections around our autofill engine to make the work of hackers more complicated. If you're interested in learning more about phishing or how to build awareness for you or within your company, check out our Phishing 101 Guide or our blog resources.
4. Corrupting through dependencies
Almost every tech product relies on a mix of internal code, third-party tools, and external code libraries from the open-source community. It could be possible for a malicious actor to plant corrupted code in one of those libraries. That's why we frequently inspect all the dependencies of our extension. We make sure to only rely on well-maintained libraries from the community where we can be confident that they got the right level of scrutiny. Note also that attacks based on Dynamic-Link Library (DLL) Injections would not be directly possible to attack the Dashlane extension, because the extension is not an executable file (like a desktop application), and it is sandboxed within your browser, so no libraries are loaded dynamically.
5. Compromising Dashlane
Let’s play out the worst-case scenario, in which Dashlane as a company is compromised. There are different flavors of such a threat. In most cases, that attack would not impact you as a customer, thanks to our zero-knowledge architecture. Only you know your master password which is the key to your vault. Nobody else, so hackers could not access your vault.
Another form of attack could target the development infrastructure at Dashlane, in a SolarWinds type of attack, to try to plant malicious code or a backdoor inside Dashlane application. This one is critical and we do our best to protect ourselves against such a threat: best practices around software development, policies that grant the minimal access rights needed (least privilege principle), multiple approvals of code changes...and using the Dashlane product to keep our company's passwords strong and in the right employees' hands! You can find more details in that blog post where we explain how we assess the threats against Dashlane.
Ensuring the highest level of protection for our customers is an ever-going effort. We must remain vigilant in everything we do, from the technical design of new features to the management of our server infrastructure. If you are interested to learn more, check out our Security White Paper.