Code Review and Penetration Test

Paladin Browser Protection Code Review and Penetration Test – Pt. 1

Overview

Paladin Browser Protection by Paladin Cyber is a browser extension for Google Chrome that provides a Phishing Email Filter, Public Wi-Fi Protection, Website & content filter, XSS Protection, and a Password Manager. Further details about the product can be found at

https://www.meetpaladin.com/paladin-browser-protection

Inferno Systems Inc., a cyber security and penetration testing company, provided both source code review as well as network penetration services for Paladin Cyber.

Full Disclosure: Inferno Systems Inc. was compensated by Paladin Cyber for the time spent reviewing their product providing an advanced copy of this report for Paladin Cyber to address any security issues or risks discovered. Inferno Systems Inc has conducted several testing and remediation cycles with Paladin Cyber. This report represents the latest round of testing. The dedication to enhancing product security and ensuring the maximum possible safety of customers’ data is a sign of Paladin Cyber’s commitment to security.

To further certify that this report has not been tampered with, Inferno Systems Inc. is hosting this report at the following URL:

https://infernosystems.com/wp-content/uploads/2022/05/201812_PaladinBrowserProtection.pdf

The report is further signed by Inferno Systems Inc. using GPG . Details regarding the validation of the signature of this document can be found in Appendix A at the end of this document.

This source code review and penetration test was conducted between September – December 2018 on development versions of the Paladin Browser Protection browser extension for Google Chrome.

The results are an overall assessment of the Paladin Browser Protection security posture. The findings in this report reflect the conditions found during the time of the assessment and do not necessarily reflect current conditions.

Product Overview

Paladin Browser Protection by Paladin Cyber is a browser extension for Google Chrome that provides a Phishing Email Filter, Public Wi-Fi Protection, Website & content filter, XSS Protection, and a Password Manager. Each of these features are reviewed in depth below. For more information about the advertised features of the product, see https://www.meetpaladin.com/paladin-browser-protection

The plugin can be downloaded from the Chrome Web Store at the following URL:

https://chrome.google.com/webstore/detail/paladin-browser- protectio/lkhghipfmlbmmcamcamkhpjjggnlpani/related?hl=en

Findings Overview

Inferno Systems identified 3 significant findings in addition to multiple points of interest. The table below provides a high-level summary of the identified issues. The severity of each finding is based on the complexity to exploit, the potential damage if exploited, and the suggested remediation.

Vulnerability

Severity

Remediation

WebSocket traffic not supported by Proxy LOW

After receiving Paladin Response to this issue, we suggest documenting or alerting the user when parts of the page are not secured

IPv6 traffic not support by Proxy Remediated

After receiving Paladin Response to this issue, we suggest documenting or alerting the user when parts of the page are not secured

TLD Parsing bug could lead to entire TLDs being whitelisted Remediated

Utilize Mozilla’s curated TLD list to correctly parse TLDs out of domain names

Improper Domain Parsing in the Password Manager Remediated

Utilize Mozilla’s curated TLD list to correctly parse TLDs out of domain names

View-source on a page flagged as phishing POI

Whitelist view source unless there is good reason to leave it marked as phishing

Consider increasing BCrypt cost factor dynamically POI

Ideally this would be tunable on the server side rather than hard-coded into the paladin-sdk project. By doing so, Paladin Cyber can increase the cost factor as compute speed increases without having to update the extension itself.

Consider removing export passwords function POI

Remove functions needed only for testing from release builds

Paladin Browser Protection General Findings

Overall, Paladin Browser Protection is well thought out and takes care to not log or otherwise mishandle user information. To facilitate a deeper analysis, we were provided source code to the Paladin Browser Protection extension as well as some of the backend code (server-side code).

Our Part 2 dives deep into the details of the findings. Click here!