Page Cage released

Ever got a funny feeling when your password manager popped up offering to save a login that you thought was really, really confidential? Well, you should get it, because this is a sign that the app is able to see everything you’re doing. The developer of this app could get hacked (or the developer of any add-on or extension you’re using, for that matter), and then all your precious logins would be sent to some hacker’s computer without your noticing anything amiss. That is, until you look at your bank account and find that all your life’s savings have been sent to an account in Cayman Islands.

Page Cage is here to help you with that. It won’t work always, but it will work with a number of sites.

Page Cage is a Chrome extension and Firefox add-on that does a very simple thing: it opens a new tab where you can load a webpage inside an object called iframe. If the webpage loads (sometimes it doesn’t, as explained below), it will be invisible to any extensions or add-ons you may have installed. This means password managers and ad blockers, but also any malicious code that may have slipped into that extension that replaces ads with funny pictures, which you installed on a whim who knowns how long ago.

Operation is super-easy. After installing the add-on or extension, you get a cage icon on the top right area of your browser. And then, when you want to load a webpage into a protective cage, you do this:

  1. Click the icon. It looks like a little cage with a keyhole.
  2. A new tab opens and there is a box in it. Type the page address there. If you don’t supply a protocol, it will be assumed to be https. Then click the Load button.
  3. If the server agrees to send the page to a frame, it will load below the box where you wrote the address. You can work with it normally, confident that none of the browser extensions will see what you’re doing.

The server may also refuse to send the page and in that case you won’t see anything below the box. Many servers refuse to send their pages to frames in order to prevent a “clickjacking” attack, where a malicious transparent page is invisibly overlaid on top of the loaded page. You think you are clicking buttons in the framed page, but in reality you are clicking buttons on the transparent page, which then will execute who knows what malicious payload that require your “explicit” consent. Pages like Google, Amazon, eBay act this way, and there’s nothing Page Cage can do about it because it is decided by their servers, not by Page Cage.

But it does work beautifully with things like the PassLok app: https://passlok.com/app, or URSA: https://passlok.com/ursa, which otherwise are exposed to malicious extensions. Of course, you could always run your browser in anonymous or private mode, and make sure you leave all extensions inactive, but probably that takes too much work. Page Cage will achieve pretty much the same with a single click.

Leave a Reply

Your email address will not be published. Required fields are marked *