1

Utkarsha Mishra COMPSCI 725

David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings of the

23rd USENIX Security Symposium. 2014.

Password Managers

2

SUMMARY

1 Authors begin with analyzing the autofill policies of 10 popular password managers.

2 Then they present some corner cases in autofill policies which can lead to attacks enabling attackers to extract password remotely without user’s knowledge.

3 Provide recommendations for strengthening the credential security of password managers, Forcing User Interaction and Secure Filling

I will be focusing on one of their recommendations.

3

THREAT MODELVictim WiFi Router Website

Request for login page

User credentials

Login page content

Malicious JS

Script sends credentials

4

ATTACKS

Attack Successful

Tampering:The attacker injects malicious JS

by tampering with the network traffic.

1

2

3

Make the victim visit a website:The target/victim is redirected

to a vulnerable webpage of the site.

Exfiltration of the password:Stealth : Use JS to pass user

credentials.Form Action : Modify form’s

action.

Secure Filling

5

SECURE FILLING

1 PMs store the form action present in the login form along with username and password.

2 During autofill, the password field becomes unreadable by JavaScript. A dummy value is shown in the field but when submitting the form, the dummy value is replaced by the real value.

3 Any changes in username or password fields while an autofill is in progress, the autofill will abort and password field will be cleared out.

The authors propose :

4 Once autofill is done and all JavaScript has run, the PM checks that the form’s action matches the domain of the action it has stored.

6

SECURE FILLING

1 Many websites frequently update/change form action. In this case, if form action is changed, autofill gets aborted. Also, susceptible to self-exfiltration attacks.

2 Making password field unreadable by JS, authors have just implemented this on Chrome browser. While implementing this on other browsers might be straightforward, implementation on third-party PMs would require some API.

3 AJAX-based logins are incompatible with Secure Filling. They propose two workarounds but both would require the websites to make changes in their login mechanism.

Limitations of Secure Filling:

4 HTML doesn’t distinguish between password fields on registration pages and login forms. Most registration pages use JS to evaluate entries, therefore JS will have access to passwords during registration process.

7

CONCLUSION

1 Secure Filling may seem like a better defense against autofill attacks, but implementation might be difficult and would require extended HTML support and websites to change their login systems.

2 Most password managers autofill other information like name, phone number, credit card info etc. which can be equally harmful as stealing passwords.

3 While Secure Filling does make PMs secure to the attacks they’ve mentioned in the paper, authors acknowledge that other threat models and attack vectors can still exfiltrate password or other autofill information.

THANK YOU!

Q&A SESSION