39

I realized that my bank handles sensitive information in the web console log, so my concern is if any browser extension could read the log?

Nyan D' Sparkle
  • 509
  • 4
  • 6
  • 42
    If you have browser extensions that you don't trust, you have way bigger problems than whether they can read the log. – Joseph Sible-Reinstate Monica Dec 31 '19 at 20:32
  • 3
    What do you mean by "handles sensitive information"? – RockPaperLz- Mask it or Casket Jan 01 '20 at 20:30
  • 1
    Some information like login info, accounts number, etc. – Nyan D' Sparkle Jan 02 '20 at 04:00
  • 1
    To clarify, does your bank's web site as such is handling sensitive information -- or that the online-banking system (in production) is printing sensitive information to the console? – KlaymenDK Jan 02 '20 at 11:58
  • 6
    "my bank handles sensitive information in the web console log" -- Wow. Changing banks may be easier than getting them to change their code. – bishop Jan 02 '20 at 18:11
  • 3
    You should probably be more worried about the code from several other websites that your bank loads to act as intermediaries between you and the bank's forms, as such code can alter and/or duplicate to a third party any information passing between you and your bank. And there's little you can do about it because banks are too stupid to realize that a secure communication should not be a "game of [telephone](https://en.wikipedia.org/wiki/Chinese_whispers)". – Eric Towers Jan 03 '20 at 00:23

1 Answers1

62

Any extension that has access to the DOM can read whatever is written to the console by intercepting calls. The console is a JavaScript object; it is simple to proxy calls to console.log, like this example from zzzzBov on Stack Overflow:

(function () {
  var log = console.log;
  console.log = function () {
    log.call(this, 'My Console!!!');
    log.apply(this, Array.prototype.slice.call(arguments));
  };
}());

However I should note that intercepting console.log is not necessarily what you should be worried about. If an attacker is able to run their own code within your browser, they can do a lot of bad stuff whether or not the bank uses console.log. For more on that, see this question: Worst case scenario what can a Chrome extension do with "Your data on all websites"

But that said, if they've left console.log statements in their production site, that's a code smell.

Fire Quacker
  • 2,432
  • 1
  • 19
  • 29
  • I would recommend a separate browser profile for banking to keep different trust domains separate. – Tanath Jan 09 '20 at 11:05
  • This example doesn't work alone. Web extension hasn't the same "context" (`window`) as the page. You need to inject this code into the page and communicate back with the web extension using `postMessage`. More details [here](https://stackoverflow.com/a/12396221/983161). – Jack NUMBER Oct 09 '20 at 18:26