Re: Native Messaging is "Phishable"

Native messaging can be "securely tied to invoking Web pages", but your
application neglects to do so.
1) Your content script listens to messages in every page, and
2) blindly forwards the message to the background script, which
3) spawns a native messaging host and forwards the given message.

In step 1, your script knows the location of the page where it is running
(e.g. event.origin in the message event, or just location.href).
In step 2, your background script knows the location of the sender (e.g.
sender.frameUrl)
In step 3, your native application knows that the message was sent from a
whitelisted extension (via the native messaging host manifest; in case
you've registered multiple origins, the actual origin can still be
identified in Chrome via the native app's command-line arguments).

* NOTE: If the web page is served over http, then the message's
authenticity at step 1 cannot be guaranteed, since a MITM attacker can
easily spoof messages.

If you do not validate the origin of the message at any of these steps,
then yes, any web page can launch a native messaging app. This is not a
problem with native messaging, but with your demo extension.

Kind regards,
 Rob
 https://robwu.nl

2016-12-03 8:26 GMT+01:00 Anders Rundgren <anders.rundgren.net@gmail.com>:

> Since native applications are not securely tied to invoking Web pages, it
> appears that this concept is susceptible to phishing.
> One may argue that Native Messaging isn't callable by Web pages but that's
> incorrect [1], and it is probably the #1 use-case as well.
>
> I believe the same problem is valid for the URL schemes used in Android as
> well.
>
> Anders
>
> 1] it just takes some ingenuity: https://github.com/cyberphone/
> web2native-bridge/tree/master/extension/release
>
>