Paladin Browser Protection by Paladin Cyber is a browser extension for Google Chrome that provides a Phishing Email Filter, Public Wi-Fi Protection, Website & content filter, XSS Protection, and a Password Manager. Further details about the product can be found at
https://www.meetpaladin.com/paladin-browser-protection
Inferno Systems Inc., a cyber security and penetration testing company, provided both source code review as well as network penetration services for Paladin Cyber.
Full Disclosure: Inferno Systems Inc. was compensated by Paladin Cyber for the time spent reviewing their product providing an advanced copy of this report for Paladin Cyber to address any security issues or risks discovered. Inferno Systems Inc has conducted several testing and remediation cycles with Paladin Cyber. This report represents the latest round of testing. The dedication to enhancing product security and ensuring the maximum possible safety of customers’ data is a sign of Paladin Cyber’s commitment to security.
To further certify that this report has not been tampered with, Inferno Systems Inc. is hosting this report at the following URL:
https://infernosystems.com/wp-content/uploads/2022/05/201812_PaladinBrowserProtection.pdf
The report is further signed by Inferno Systems Inc. using GPG . Details regarding the validation of the signature of this document can be found in Appendix A at the end of this document.
This source code review and penetration test was conducted between September – December 2018 on development versions of the Paladin Browser Protection browser extension for Google Chrome.
The results are an overall assessment of the Paladin Browser Protection security posture. The findings in this report reflect the conditions found during the time of the assessment and do not necessarily reflect current conditions.
Product Overview
Paladin Browser Protection by Paladin Cyber is a browser extension for Google Chrome that provides a Phishing Email Filter, Public Wi-Fi Protection, Website & content filter, XSS Protection, and a Password Manager. Each of these features are reviewed in depth below. For more information about the advertised features of the product, see https://www.meetpaladin.com/paladin-browser-protection
The plugin can be downloaded from the Chrome Web Store at the following URL:
Findings Overview
Inferno Systems identified 3 significant findings in addition to multiple points of interest. The table below provides a high-level summary of the identified issues. The severity of each finding is based on the complexity to exploit, the potential damage if exploited, and the suggested remediation.
Vulnerability |
Severity |
Remediation |
|---|---|---|
| WebSocket traffic not supported by Proxy | LOW | After receiving Paladin Response to this issue, we suggest documenting or alerting the user when parts of the page are not secured |
| IPv6 traffic not support by Proxy | Remediated | After receiving Paladin Response to this issue, we suggest documenting or alerting the user when parts of the page are not secured |
| TLD Parsing bug could lead to entire TLDs being whitelisted | Remediated | Utilize Mozilla’s curated TLD list to correctly parse TLDs out of domain names |
| Improper Domain Parsing in the Password Manager | Remediated | Utilize Mozilla’s curated TLD list to correctly parse TLDs out of domain names |
| View-source on a page flagged as phishing | POI | Whitelist view source unless there is good reason to leave it marked as phishing |
| Consider increasing BCrypt cost factor dynamically | POI | Ideally this would be tunable on the server side rather than hard-coded into the paladin-sdk project. By doing so, Paladin Cyber can increase the cost factor as compute speed increases without having to update the extension itself. |
| Consider removing export passwords function | POI | Remove functions needed only for testing from release builds |
Paladin Browser Protection General Findings
Overall, Paladin Browser Protection is well thought out and takes care to not log or otherwise mishandle user information. To facilitate a deeper analysis, we were provided source code to the Paladin Browser Protection extension as well as some of the backend code (server-side code).
Our Part 2 dives deep into the details of the findings. Click here!