31

What is CryptoTokenExtension in Chromium extensions? It's not from Chrome Web store, and cannot be removed. Is it safe to use?

enter image description here

Din
  • 2,081
  • 5
  • 19
  • 20

2 Answers2

25

It is the extension that allows two-step verification between hardware. From the link:

Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).

Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.

It is supported by Google Chrome since version 38 and Opera since version 40. Firefox has an add-on for this. And Microsoft has plans to implement it. Dropbox, GitHub, GitLab and Bitbucket support it too.

Is it safe to use?

Well... the tool itself is there to protect you from misuse. But it all depends on how you treat your hardware I would say. On the other hands... it IS a tracking tool so Richard Stallman will disagree (strongly and furiously) (:))

Community
  • 1
Rinzwind
  • 299,756
  • 4
    Thanks for the detailed answer. So this is an integral part of Chromium/Chrome? I was just wondering what that was. There isn't much information about this extension on the internet. – Din Nov 01 '16 at 18:18
  • 2
    Yes, and I agree there was not a lot to find on it; q's on the google forums are all unanswered :D – Rinzwind Nov 01 '16 at 18:34
  • Thank you, Rinzwind. Those who have this same question can come here and find the answer :) – Din Nov 02 '16 at 16:18
  • @Rinzwind Thank you for your answer. Could you add sources for these claims? – NotGaeL Apr 10 '20 at 18:41
  • 1
    At least the claim that this is no malicious but a valid 2FA/MFA plugin can be easily seen when looking for that id in Debian's Code Search: https://codesearch.debian.net/search?q=kmendfapggjehodndflmmgagdbamhnfd&literal=1 — beyond others it shows up in the source code of chromium as well as the chromium based qtwebengine-opensource-src in a place where it seems to belong to a extension shipped with chromium and not a blacklist. – Axel Beckert Oct 26 '20 at 03:31
6

It is part of Chromium and an extension shipped with Chromium.

Proof:

Searching for kmendfapggjehodndflmmgagdbamhnfd in the source code of all Debian packages

It shows up in multiple packages, including chromium and qtwebengine-opensource-src which is based on chromium, but also in others referencing it, e.g. here:

  • chromium_83.0.4103.116-3.1/content/browser/webauth/webauth_request_security_checker.cc:

    constexpr char kCryptotokenOrigin[] =
   "chrome-extension://kmendfapggjehodndflmmgagdbamhnfd";
// Returns AuthenticatorStatus::SUCCESS if the domain is valid and an error

  • chromium_83.0.4103.116-3.1/content/browser/webauth/authenticator_impl_unittest.cc:

    constexpr char kTestRelyingPartyId[] = "google.com";
constexpr char kCryptotokenOrigin[] =
   "chrome-extension://kmendfapggjehodndflmmgagdbamhnfd";
constexpr char kTestExtensionOrigin[] =
   "chrome-extension://abcdefghijklmnopqrstuvwxyzabcdef";

  • chromium_83.0.4103.116-3.1/chrome/browser/webauthn/chrome_authenticator_request_delegate.cc:

     // Don't override cryptotoken processing.
 constexpr char kCryptotokenOrigin[] =
     "chrome-extension://kmendfapggjehodndflmmgagdbamhnfd";
 if (caller_origin == url::Origin::Create(GURL(kCryptotokenOrigin))) {
   return base::nullopt;

It also doesn't look like any of these occurrences are a blacklist or something else negative.

Also learned from that search result: Multiple other packages, like e.g. libauthen-u2f-perl reference this ID as "The Chrome packaged app extension ID".

It seems as if that extension is not provided by some separate extension files as common with all 3rd party extensions, but it seems to be built-in into Chromium itself:

$ dgrep kmendfapggjehodndflmmgagdbamhnfd chromium chromium-common chromium-driver chromium-sandbox chromium-shell
Binary file /usr/lib/chromium/chromium matches
Binary file /usr/lib/chromium/chromium-shell matches
Binary file /usr/lib/chromium/chromium-shell matches

Actually I'm kinda surprised that even after four years (given the date of the original question), the Chromium developers neither seem to have managed nor found it appropriate to remove that "Not from Chrome Web Store" warning from chromium-internal extensions. It only is not as much highlighted as back then anymore.

P.S.: Ubuntu though builds there own chromium-browser package which is not based on Debian's chromium package. And since recently Ubuntu even ships it in one of these IMHO irksome and unnecessary snap packages. But the upstream source code still should be the same.

Axel Beckert
  • 252