So I looked into this Scirge extension.

The good news: I don’t see any attack surface here, it’s safe.

The bad news: As I see it, the extension is essentially corporate-mandated spyware, capable of extracting users’ login credentials for any website and probably more.

Which credentials are logged is determined by a list of policies downloaded from the corporate Scirge server. The policies are determined by the server admins responsible at their sole discretion.

Passwords logged go through SHA-1 hashing, this offers almost no protection.

What makes matters worse here: there is zero transparency. All server communication is encrypted using public key cryptography (yes, in addition to TLS). This serves no purpose privacy-wise but provides quite efficient obfuscation.


Ah, Scirge website actually mentions them storing passwords in the database:

“only industry standard secure hashes are stored at the Central Server database”

Yes, calling SHA-1 “secure” is one way of looking at this… 🙄

Thanks to @varx for the discovery!

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.