You are on page 1of 6

Pnsswovo MnNncrvs

ExvosiNc Pnsswovos Evrvxwurvr


Marc Blanchou marc[at]isecpartners[dot]com
Paul Youn paul[at]isecpartners[dot]com
iSEC Paiineis, Inc
I23 Mission Siieei, Suiie I020
San Fiancisco, CA 94I05
https://www.isecpartners.com
Novembei I3, 20I3
Abstvact
Advancemenis in passwoid ciacling and fiequeni ilefi of passwoid daiabases endangei single-facioi passwoid
auileniicaiion sysiems. Passwoid manageis aie one of ile only iools available ilai can lelp useis iemembei unique
ligl-eniiopy passwoids, and oilei secieis sucl as ciedii caid numbeis, foi a laige numbei of applicaiions. Can
passwoid manageis delivei on secuiiiy piomises, oi do iley iniioduce ileii own secuiiiy vulneiabiliiies? Tlis papei
examines populai biowsei-based passwoid manageis and piesenis common secuiiiy aws ilai could be exploiied
io iemoiely exiiaci a useis passwoid.
I I1xoouc1Io
People iegulaily use dozens, if noi lundieds, of web applicaiions. Savvy useis lnowilai ile besi secuiiiy piaciice is
io cloose unique and complex passwoids foi eveiy web applicaiion. Passwoids aie closen io iesisi boil online and
oine biuie-foice aiiacls ilai migli occui afiei a passwoid daiabase las been siolen. Oine aiiacls gei beiiei and
beiiei as passwoid diciionaiies gei publisled
I
(and aie used as baseline guesses againsi passwoids) and compuiing
powei impioves.
2
Even useis wlo lave a sysiem foi cieaiing passwoids ilai may be moie diculi
3
io guess
4
will lave iiouble ie-
membeiing ile exaci passwoid foi a web applicaiion ilai is only iaiely used. Tle soluiion is some iype of passwoid
managemeni sysiem.
Passwoid managemeni sysiems can iange fiomusing ile iniegiaied biowsei auio-ll funciionaliiy, io a spieadsleei
of useiname]passwoids, io a memoiized sysiem foi modifying passwoids beiween applicaiions, io aciual passwoid
managemeni sofiwaie. Aciual passwoid managemeni sofiwaie is becoming incieasingly populai because of usabiliiy
and aoidabiliiy of ile pioducis.
Pievious ieseaicl on passwoid manageis las focused on ile ciypiogiaplic pioieciions of ile passwoids ilemselves
in paiiiculai enviionmenis sucl as mobile devices.
5
Tlis ieseaicl insiead focuses on biowsei specic iniegiaiions
I
http://www.theregister.co.uk/2010/01/21/lame_passwords_exposed_by_rockyou_hack/
2
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
3
http://xkcd.com/936/
4
https://www.schneier.com/blog/archives/2007/01/choosing_secure.html
5
http://media.blackhat.com/bh-eu-12/Belenko/bh-eu-12-Belenko-Password_Encryption-Slides.pdf
uiivs:]]www.isrcvnviNrvs.cor I]6
and meclanisms io iemoiely compiomise ciedeniials. Foui of ile mosi populai passwoid manageis weie exam-
ined
6
:
LasiPass Cliome and FiieFox Add-On, veision 2.0.20: https://lastpass.com/
OneLasiPass Cliome Exiension, veision 2.6.7: https://www.onelastpass.com/
IPasswoid Cliome and FiieFox Add-On, veision 3.9.I9: https://agilebits.com/
MaslMe Cliome and FiieFox Add-On, veision I.27.3I8: https://www.abine.com/maskme/
Passwoid manageis lave a diculi goal: piovide a passwoid managemeni sysiem ilai is boil easy io use and also
pioiecis passwoids fiom unauiloiized paiiies. In ile coniexi of a web biowsei, passwoid manageis slould male ii
easy io log inio web applicaiions, bui also ensuie ilai passwoids aie only submiiied io ile iniended paiiy.
Maling suie ilai passwoids aie only seni io ile iniended paiiy is aciually moie complicaied ilan ii may seem.
Passwoid manageis musi answei diculi quesiions sucl as:
Wlicl login foim is coiieci?
Wlen slould ile passwoid be auio-lled?
Is ile passwoid being submiiied io ile iniended paiiy?
Tlis ieseaicl slows ilai mosi passwoid manageis made design decisions ilai gieaily inciease ile clance of useis
unlnowingly exposing ileii passwoids iliougl applicaiion-level aws. Many of ile aws ielaie io ile biowsei-
iniegiaied passwoid manageis ilai doni follow ile same-oiigin policy ilai is ciucial io biowsei secuiiiy. In ile
case of passwoid manageis, ilis means ilai passwoids could be lled inio uniniended ciedeniial foims, maling
passwoid ilefi easiei.
2 VuLLxneILI1ILs I BxowsLx I1Lcxn1Io
Tle mosi populai passwoid manageis lave iniegiaied biowsei exiensions oi plug-ins ilai can auiomaiically manage
youi passwoids. Tle exiensions aiiempi io auiomaiically deieci ciedeniial elds and ll oui deiecied foims wiil
ile appiopiiaie passwoid. If ile iniegiaiion isni peifoimed piopeily, passwoids could be lled inio an aiiaclei-
coniiolled passwoid foim oi siploned o io uniniended paiiies.
We iesied ile above passwoid manageis io see if iley could piopeily pioieci againsi muliiple aiiacls desciibed
below.
2.I HTTP vs HTTPS
Peilaps ile woisi iype of vulneiabiliiy discoveied was in ile MaslMe passwoid managei. MaslMe failed io disiin-
guisl beiween HTTPS and HTTP sclemes, and violaied ile same-oiigin policy concepi. Tlai means if MaslMe is
conguied io auio-ll a ciedeniial on an HTTPS domain sucl as https://www.google.com, bui encounieied a
login foim on http://www.google.com, ile foim would siill be populaied.
A man-in-ile-middle aiiaclei, say on a public wiieless neiwoil, could simply iediieci viciims io fale HTTP vei-
sions of populai websiies wiil login foims and }avaSciipi ilai auio-submiis afiei iley aie auiomaiically lled in by
MaslMe. Anyone using MaslMe wiil auio-ll enabled (ilis is ile defauli belavioi) could veiy quiclly lave ileii
passwoids siolen by simply conneciing io a malicious access poini, and viciims would nevei lnow.
6
All passwoid manageis discussed in ilis papei lave been infoimed of ile discussed wealnesses and weie given ai leasi sixiy days io addiess
issues piioi io ile publisling of ilis wliiepapei.
uiivs:]]www.isrcvnviNrvs.cor 2]6
2.2 Cxoss-OxIcI Pnsswoxo SuemIssIos
Tliee biowsei-based passwoid manageis (LasiPass, OneLasiPass, and MaslMe) weie found io submii passwoids
acioss oiigins. In simple ieims, ilai means if a login foim is encounieied on https://www.google.com and
sends ile passwoid io https://www.isecpartners.com, ile passwoid managei will ll in ile useis https:
//www.google.com ciedeniials and send ilem io https://www.isecpartners.com. If an aiiaclei is able
io cieaie a login foim on a viciim websiie ilai iediiecis ciedeniials io a malicious web seivei oi a compiomised
applicaiion, ile aiiaclei could sieal a viciims passwoid even wlen }avaSciipi code cannoi be inseiied oi execuied.
7
Alilougl ile abiliiy io cieaie a malicious login foimon someone elses websiie seems diculi, ii could siill be done
ielaiively iiivially because of addiiional vulneiabiliiies ilai aie desciibed in subsequeni seciions.
2.3 SueoomnI EquIvnLLcL
OneLasiPass, LasiPass, MaslMe and IPasswoid ignoied subdomains wlen compaiing oiigins. Tlai means ilai
a login foim encounieied on https://forum.example.com will siill be iieaied as equivaleni io a login foim
encounieied on https://example.com/log_in violaiing ile same-oiigin policy.
8
Subdomain equivalence is
quiie dangeious because some subdomains sucl as usei discussion foiums, blogs, oi mail subdomains can
ofien be manipulaied by an aiiaclei. Foi example, a foium ilai allows foi HTML foimaiied commenis could be
exploiied by an aiiaclei io add a login foim on a domain, and ilus sieal ciedeniials fiom unsuspeciing useis. In
addiiion, an applicaiion wiil muliiple subdomains is lilely io lave wealei ones ilai could be vulneiable io Cioss-
Siie Sciipiing (XSS) aiiacls and could eeciively allow an aiiaclei io ieiiieve ciedeniials foi ile paieni domain
wlen ile passwoid is auio-lled on a fale login foim.
2.4 WnIcn LocI PncL?
None of ile examined passwoid manageis appeai io veiify ile login page foi a iemembeied passwoid on a given
domain. Foi example, alilougl Vimeos login page is losied ai https://vimeo.com/log_in, all of ile examined
passwoid manageis will deieci login foims anywleie on ile https://vimeo.com/ domain.
9
Tlai means ilai if
an aiiaclei is able io injeci a login foim anywleie on ile Vimeo domain, a viciims ciedeniials could be siolen.
2.5 AmLIIvIc RIs: Au1o-FILL no Au1o-SuemI1
In oidei io male passwoid manageis even moie usable, LasiPass and MaslMe can be conguied io auio-ll a useis
ciedeniials inio an encounieied login foim. LasiPass also allows useis io conguie ile managei io auio-submii
ciedeniials. Due io ile ideniied issues, auio-ll and auio-submii funciionaliiy inciease ile iisl of a viciimlealing
passwoids, because a login foim could be lidden by an aiiaclei wiilin an expecied foim. If a usei submiiied ile
expecied foim, iley would be unawaie ilai ileii passwoid lad also been lled inio lidden foimelds and submiiied
io ile aiiaclei.
2.6 Pu11Ic I1 TocL1nLx: S1LnLIc Pnsswoxos
Because of subdomain equivalence, ii would be ielaiively easy foi an aiiaclei io injeci a plisling login foim inio
any populai domain. In faci, many domains expliciily allow any usei io cieaie HTML conieni ilai is ilen iendeied;
7
Ii slould be noied ilai a sciipi can ieiiieve and exliiaie any daia auio-lled on a page
8
Biowseis iieai ilese as sepaiaie domains and limii ile inieiaciion allowed beiween ile iwo subdomains.
9
Tlis belavioi is also iiue wiil passwoid manageis buili inio modein biowseis see Seciion 2.7 on page 5.
uiivs:]]www.isrcvnviNrvs.cor 3]6
foi example, wili pages, foiums, and peilaps mosi ieiiifying: mosi web-based email clienis ilai iendei aibiiiaiy
HTML-foimaiied email.
We iesied a passwoid eld coniaining plisling email on iliee populai webmail piovideis: https://mail.live.
com, https://mail.google.com, and https://mail.yahoo.com. Tle following pioof of concepi was seni as
an HTML-foimaiied email:
<liml ><body>Tlanls f oi i ali ng oui Suivey !
<foim aci i on= li i ps : ] ]www. i s e c pa i i ne i s . com meilod= posi s i y l e = f oni s i z e : medium;
maigin : 0px ; f oni f ami l y : Times ; boidei : 0px ; padding : 0px i a i ge i = _bl anl >
Do you l i l e c ai s ? : <i npui iype= i e x i name= c ai s ><bi >
Do you l i l e dogs ? : <i npui iype= i e x i name= dogs ><bi >
<i npui iype= emai l name= Email val ue= s i y l e = maxlei gli : 0px ; padding : 0px ; boidei
widil : 0px ; widil : 0px >
<i npui iype= passwoid name= Passwd s i y l e = maxlei gli : 0px ; padding : 0px ; boidei
widil : 0px ; widil : 0px >
<i npui iype= submii name= s i gnI n val ue= Submii ><] foim><] body><] liml >
Yaloo! Mail useis iunning LasiPass aie ile mosi vulneiable io ciedeniial ilefi. Any Yaloo! Mail usei wlo las
LasiPass wiil auio-login enabled foi ile yaloo.com domain and views emails ovei HTTPS could lave ileii usei-
name]passwoid siolen jusi by opening ile plisling email. Wlen ile email opens, LasiPass will auiomaiically log
in and send ile ciedeniials io https://www.isecpartners.com. If a usei only las auio-ll enabled, ile cie-
deniials will siill be siolen if ile suivey is submiiied.
Gmail useis aie a bii beiiei o, because Google will wain you ilai a foim is aboui io be submiiied befoie ful-
lling ile iequesi, even if LasiPass auio-login funciionaliiy is enabled. Foi Gmail useis, a viciim would siill be
vulneiable if iley aciually iespond io ile suivey and lave auio-ll enabled, oi if iley lave auio-login enabled
and clicl iliougl ile waining. Many viciims will unwiiiingly submii ileii useiname and passwoid io https:
//www.isecpartners.com. To give an idea of low successful a plisling campaign may be, compaie ile iwo
scieenslois of suivey emails seni io a Gmail addiess
I0
:
Tle above giaplic is a legiiimaie suivey ilai anyone can cieaie and send via email. Below is a malicious foim ilai
will sieal a peisons passwoid if iley lave LasiPass wiil auioll enabled:
I0
Tle piciuied suivey was cusiomized io lool lile a siandaid Google Diive foim and dieis fiom ile pioof-of-concepi HTML above.
uiivs:]]www.isrcvnviNrvs.cor 4]6
Noie ilai ileie is no obvious login foim in ile above scieensloi,
II
bui any viciim wlo clicls Submii and was
using a passwoid managei ilai auio-lled in ileii ciedeniials would send ileii useiname and passwoid io https:
//isecpartners.com.
I2
Ouilool.com (https://mail.live.com) useis weie besi o because ile mail applicaiion uses miiigaiions io
pieveni cioss-oiigin submissions of any lind io pieveni ilis aiiacl.
2.7 How nsswoxo mnncLx Lx1LsIos comnxL wI1n mooLx exowsLxs
We deieimined ilai biowsei auio-ll meclanisms weie fai moie secuie ilan ile exiensions iesied. Boil Fiiefox
and Cliome iespeci ile same-oiigin policy wlen lling passwoids and do noi auio-ll passwoids wlen ile URI
scleme (liip]liips) oi subdomains of ile foim iaigei dieis fiom ile cuiieni page. In addiiion, biowseis iefuse
io auio-ll passwoids wlen a login foim is seni io a domain dieieni ilan ile domain ii is displayed on. Howevei
passwoids aie auio-lled on any page of a web applicaiion as long as ii is wiilin ile same domain.
3 Nn1IvL ALIcn1Io FLnws
Naiive applicaiion passwoid manageis can also be aiiacled jusi lile any oilei sofiwaie. We examined one sucl
applicaiion: IPasswoid. IPasswoid peifoimed auiomaiic updaies in an insecuie mannei by ieacling oui io an un-
pioiecied endpoini: http://updates.agilebits.com/check?.... If an updaie was discoveied, ile sofiwaie
would be auiomaiically insialled using admin piivileges.
II
Tle waining aboui submiiiing passwoids is inseiied by defauli inio eveiy Google Diive foim and is unielaied io ile desciibed aiiacl.
I2
Alilougl Google does wain ilai a foim is aboui io be submiiied, ile waining appeais foi any in-line foim submission. Foi example, ilis
waining will appeai wlen a Google docs-based suivey is lled oui in an email. A usei wlo is expeciing io be submiiiing a suivey aboui peis will
lilely clicl iliougl ile waining.
uiivs:]]www.isrcvnviNrvs.cor 5]6
Because ile updaie was peifoimed ovei HTTP, a man-in-ile-middle aiiaclei could puipoii io be ile legiiimaie
updaie seivei and seive ile IPasswoid applicaiion an aibiiiaiy piece of malwaie ilai would be insialled wiil ad-
minisiiaioi piivileges and compleiely compiomise ile viciims macline.
Noie ilai AgileBiis las iepoiiedly paicled ilis vulneiabiliiy.
4 CocLusIos
Passwoid manageis cansiill be a luge assei io useis wlenused piopeily. Unfoiiunaiely, ii appeais ilai many populai
passwoid manageis aie insecuie by defauli, bui ileie aie simple aciions ilai useis can iale io safely use a passwoid
managei. Tleie aie also faiily simple impiovemenis ilai passwoid manageis could iniioduce wlicl would lelp
impiove ileii secuiiiy.
4.I RLcommLon1Ios Iox UsLxs
Mosi of ile iesied passwoid manageis aie designed io deieci login ciedeniial foims. Alilougl auio-ll and auio-
login funciionaliiy can male passwoid manageis moie usei fiiendly, ilose feaiuies gieaily inciease ile iisl of pass-
woid ilefi using ieclniques desciibed above. iSEC liglly iecommends disabling any auio-ll oi auio-submii func-
iionaliiy in passwoid manageis. Wiiloui auio-ll oi auio-submii funciionaliiy enabled, useis will lave io manually
indicaie ilai ile passwoid foim slould be lled wiil ile saved ciedeniials and a plisling aiiacl sucl as ile one
desciibed in seciion 2.6 will be mucl moie diculi io mouni.
Oilei geneial iecommendaiions ilai aie noi specic io ilis ieseaicl include:
Use ile passwoid managei io geneiaie a iandompasswoid insiead of picling one youiself if possible. Random
passwoids aie mucl moie diculi io guess, and one of ile beneis of a passwoid managei is ilai you doni
lave io memoiize ii.
Regisiei a unique passwoid foi eveiy siie so ilai one passwoid compiomise will noi aeci oileis. Passwoid
manageis aie designed io male ilis easy io do.
Only submii passwoids on pages ilai aie eniiiely HTTPS.
Cloose a siiong masiei passwoid io pioieci youi individual passwoids as ii could siill be poieniially biuie-
foiced on a siolen device.
Alilougl impeifeci, a piopeily used passwoid managei can siill lave a laige posiiive impaci on an individuals
secuiiiy.
4.2 RLcommLon1Ios Iox Pnsswoxo MnncLx SoI1wnxL DLvLLoLxs
Passwoid manageis lave some seiious wealnesses ilai can male ii easy foi an aiiaclei io iemoiely sieal a useis
passwoid. Passwoid manageis conguied io auio-ll login foims can be exploiied iliougl a simple suivey-based
plisling aiiacl ilai a viciim views iliougl a web biowsei. Tle MaslMe passwoid managei could be exploiied
diiecily wiil a simple neiwoil aiiacl io laivesi a laige numbei of a viciims ciedeniials ai once.
We liglly iecommend ilai passwoid manageis iespeci ile same-oiigin policy concepi, specically in iegaids io
subdomains and pioiocol scleme. Addiiionally, useis slould be given ile opiion of conguiing cioss-oiigin cie-
deniial submission and ii slould be disabled by defauli.
uiivs:]]www.isrcvnviNrvs.cor 6]6

You might also like