Can data in an extension indexedDB database be altered externally?

Is it possible to alter data in an extension’s database, even through a temporarily added extension?

If so, how can one protect the extension data from being altered?

For example, please consider a situation in which a user must answer a set of questions correctly before moving on to the next level within an extension. If a single boolean value is stored indicating whether or not that level has been attained, could someone alter that value to true externally and move to the next level and potentially cause the code to fail if it ever attempts to reference that previous level’s data that won’t exist as it should?

Since data is validated before storing in the database, I didn’t anticipate a need to validate data retrieved from the database; but, if it could be changed externally, that could be an issue.

Thank you.

Essentially there is a point where you have to accept that you are running on a machine that you don’t have total control over. Some attack vectors are just out of scope and are probably just about impossible to defend against (but feel free to try).

Thanks for your response. I don’t doubt that someone can always find a way to get around whatever protections one puts in place; that’s why Microsoft has so many updates, right?

But that doesn’t mean I shouldn’t perform a reasonable level of due diligence, so to speak, and not make it easy for someone to cause problems; and if that means I need to re-validate extension-generated data previously written to the database, because someone could alter it externally, then I should do it.

I can’t stop an expert from doing just about anything they want to with this extension but I might be able to prevent 95% of the people from causing issues and I might be able to prevent the program from failing if the data is altered.

I try to think through how many ways the program could fail and find a way to catch those errors. That was the point of the question.

Thanks again.

Extensions have limited access to disk. In order to read files that aren’t directly available through an API, I think an extension would need to show a file browser dialog to the user so she or he could point the extension to the file to be opened.

Thanks for your response. I likely chose a confusing word in using “externally.” I just meant external to the extension code. In an indexedDB database of the extension, I was interested in knowing whether or not that data could be manipulated by someone apart from within the extension user interface. For example, if the extension code writes false to a database property, could someone easily change that to true. Thanks.

Not easily. Two paths I could imagine:

Database Editor
The IndexedDB database Firefox uses for your extension’s stored data can be opened using a SQLite database utility. However, the encoding used for column values is difficult to understand.

Extension Debugging
Using the about:debugging page and enabling chrome/extension debugging, a user could call up the Console to run commands in the context of your extension. They would need to figure out (or acquire specific instructions on) how to modify stored values.

Thank you. That’s what I was interested in knowing and helps a lot.