Citation Context

... authentication systems: Another related line of research investigated designing secure password authentication systems that can choose strong domain-specific passwords with minimal user intervention =-=[34, 22]-=-. The main motivation behind these works is to minimize the damage caused by users mistakenly revealing their passwords through phishing websites or social engineering These solutions also protect aga...

Citation Context

...xtract user passwords from the password manager, even for sites where the login page is served over HTTPS. Indeed, several prior works have found that users often tend to click through HTTPS warnings =-=[41, 3]-=-. The user may decide to click through the warning and visit the site anyway, but not enter any sensitive information. Nevertheless, the user’s password manager autofills the password resulting in pas...

Citation Context

...asswords and thus do not help in preventing against the attacks we presented in this paper. There are also several research works that built password authentication systems that supported autofilling =-=[45, 44]-=-. However, their primary goal was to prevent phishing attacks. In this paper, we focus on existing password managers and thus do not evaluate how vulnerable these systems are against our attacks. Sand...

Citation Context

... authentication systems: Another related line of research investigated designing secure password authentication systems that can choose strong domain-specific passwords with minimal user intervention =-=[34, 22]-=-. The main motivation behind these works is to minimize the damage caused by users mistakenly revealing their passwords through phishing websites or social engineering These solutions also protect aga...

Citation Context

...asswords and thus do not help in preventing against the attacks we presented in this paper. There are also several research works that built password authentication systems that supported autofilling =-=[45, 44]-=-. However, their primary goal was to prevent phishing attacks. In this paper, we focus on existing password managers and thus do not evaluate how vulnerable these systems are against our attacks. Sand...

Citation Context

...act with the login form without them realizing it, the same exfiltration techniques can be used to steal the password as soon as the password form is filled. We created a simple “clickjacking” attack =-=[23, 37, 25]-=-. The attacker presents the user with a benign form seemingly unrelated to the target site. Overlaying the benign form is an invisible iFrame pointing to the target site’s login page. The iFrame is po...

Citation Context

...alicious JavaScript into the login page, passwords autofilled by the password manager will remain secure so long as the form is submitted over HTTPS. This defense is somewhat akin to HttpOnly cookies =-=[4]-=-, but applied to autofilled passwords: they can be submitted to the web server, but cannot be accessed by JavaScript. We discuss compatibility issues at the end of the section. Our proposed defense wo...

Citation Context

...xtract user passwords from the password manager, even for sites where the login page is served over HTTPS. Indeed, several prior works have found that users often tend to click through HTTPS warnings =-=[41, 3]-=-. The user may decide to click through the warning and visit the site anyway, but not enter any sensitive information. Nevertheless, the user’s password manager autofills the password resulting in pas...

Citation Context

...act with the login form without them realizing it, the same exfiltration techniques can be used to steal the password as soon as the password form is filled. We created a simple “clickjacking” attack =-=[23, 37, 25]-=-. The attacker presents the user with a benign form seemingly unrelated to the target site. Overlaying the benign form is an invisible iFrame pointing to the target site’s login page. The iFrame is po...

Citation Context

... the login form at the router and mount all the sweep attacks discussed in the previous section. Clearly serving a login form over HTTP is bad practice because it exposes the site to SSLstrip attacks =-=[31]-=-. However extracting passwords via SSLstrip requires users to actively enter their passwords while connected to the attacker’s network and visiting the victim page. In contrast, the sweep attacks in t...

Citation Context

...e effort. The only downside for sites that do not make the required modifications is that their users will not be able to use some password managers. Preventing self exfiltration attacks. Chen et al. =-=[11]-=- point out that in some cases an attacker can extract data using what they call “self-exfiltration.” In our setting this translates to the following potential attack: if any page on the victim site su...

Citation Context

...TTP by default because the channel is assumed to be protected by a WiFi encryption protocol such as WPA2. Indeed, Gourdin et al. report that the majority of the embedded web interfaces still use HTTP =-=[20]-=-. Similarly, internal servers in a corporate network may also serve web login pages over HTTP because access to these servers can only be done over a Virtual Private Network (VPN). Sweep attacks are v...

Citation Context

...strate attacks against Android password managers. However, their attacks were specific to the Android operating system, and most relied upon a malicious Android app, not a network attacker. Li et al. =-=[30]-=- survey a variety of vulnerabilities specific to third-party web-based password managers and a web attacker, then discuss mitigation strategies. They do not discuss browser or native code password man...

Citation Context

...can be used by a network attacker to inject arbitrary scripts [24]. XSS Injection. A cross-site scripting vulnerability in a page allows the attacker to inject JavaScript to modify the page as needed =-=[18]-=-. XSS vulnerabilities are listed as one of the most common web vulnerabilities in 2013 internet security threat report by Symantec [14]. If an XSS vulnerability is present on any page of the victim si...

Citation Context

...about finding vulnerabilities in existing password managers as well as building stronger password authentication systems. We summarize them below. Vulnerabilities in password managers: Belekno et al. =-=[5]-=- and Gasti et al. [19] surveyed several password managers and found that most of them save passwords to device storage in an insecure manner. However, these attacks have a very different threat model ...

Citation Context

...illed into these forms is not tied to any particular origin. However, for completeness, we summarize our findings about attacks against autofilling of regular forms in Appendix A. Some existing works =-=[17, 42]-=- have demonstrated how an attacker can use injected JavaScript to steal user’s stored passwords in a password manager for login pages that are either vulnerable to XSS attacks or are fetched over HTTP...

Citation Context

...bilities in existing password managers as well as building stronger password authentication systems. We summarize them below. Vulnerabilities in password managers: Belekno et al. [5] and Gasti et al. =-=[19]-=- surveyed several password managers and found that most of them save passwords to device storage in an insecure manner. However, these attacks have a very different threat model than the attacks descr...

Citation Context

...processed by browser plugins, are harder to block. For example, embedding a Shockwave Flash (SWF) file over HTTP if not blocked correctly can be used by a network attacker to inject arbitrary scripts =-=[24]-=-. XSS Injection. A cross-site scripting vulnerability in a page allows the attacker to inject JavaScript to modify the page as needed [18]. XSS vulnerabilities are listed as one of the most common web...

Citation Context

... content, broken SSL, embedded device admin pages etc.) and attack techniques (such as the redirect attack). Using XSS attacks for stealing autofilled passwords has also been explored by Stock et al. =-=[40]-=-. They suggested that the password managers can prevent such attacks by using a placeholder dummy password for autofilling and replacing it with the original one just before submitting the login form ...

Citation Context

...illed passwords besides XSS attacks. We also investigate several different third-party password managers together with the builtin password managers that were analyzed by Stock et al. Blanchou et al. =-=[6]-=- describe several weaknesses of password manager browser extensions and implement a phishing attack that demonstrates the danger of automatic autofill. They do not examine any built-in browser passwor...

Citation Context

...tacks or are fetched over HTTP. However, unlike our attacks, these attacks require that users willingly visit the vulnerable website at the presence of the attacker. Reverse Cross-Site Request (RCSR) =-=[7]-=- vulnerabilities perform phishing attacks by leveraging the fact that several password managers will fill in passwords to login forms even if the form’s action differs from the action when the passwor...

Citation Context

...e attackers to launch click-jacking attacks. In contrast, autofilling only after explicit user interaction with the login form as suggested in Section 5 is robust against such attacks. A Firefox bug =-=[8]-=- discusses man-in-the-middle attacks against the password manager similar to our redirect attack. Another bug [9] suggests that filled passwords should not be readable by JavaScript. Their approach is...

Citation Context

...the login form as suggested in Section 5 is robust against such attacks. A Firefox bug [8] discusses man-in-the-middle attacks against the password manager similar to our redirect attack. Another bug =-=[9]-=- suggests that filled passwords should not be readable by JavaScript. Their approach is similar to our secure filling, but remains vulnerable to exfiltration using the action attribute. Although both ...

Citation Context

... not discuss browser or native code password managers, nor a network attacker. Both the Chromium and Firefox bug databases have bugs filed to prevent autofilling of login information inside an iFrame =-=[12, 10]-=-. However, preventing autofilling of passwords inside iFrames will not prevent the window sweep or the redirect attacks described in Section 4. At the time of this writing, only the Chromium bug has b...

Citation Context

... not discuss browser or native code password managers, nor a network attacker. Both the Chromium and Firefox bug databases have bugs filed to prevent autofilling of login information inside an iFrame =-=[12, 10]-=-. However, preventing autofilling of passwords inside iFrames will not prevent the window sweep or the redirect attacks described in Section 4. At the time of this writing, only the Chromium bug has b...

Citation Context

...g of passwords inside iFrames will not prevent the window sweep or the redirect attacks described in Section 4. At the time of this writing, only the Chromium bug has been fixed. Another Chromium bug =-=[13]-=- seeks to only autofill forms after the user interacts with the login page, but not necessarily the login form. This is not yet implemented, however, increasing the scope of interaction to the entire ...

Citation Context

...s the attacker to inject JavaScript to modify the page as needed [18]. XSS vulnerabilities are listed as one of the most common web vulnerabilities in 2013 internet security threat report by Symantec =-=[14]-=-. If an XSS vulnerability is present on any page of the victim site, the sweep attacks will work even if the site’s login page is served over HTTPS. For example, the attacker simply includes an iFrame...

Citation Context

...reat model than the ones requiring physical access. Besides autofilling of passwords, several password managers also support autofilling of forms with information like name, phone no etc. Prior works =-=[15, 33, 21]-=- have shown that an attacker can steal autofilled information by using specially crafted forms. This is a different class of attack than the attacks on login forms as unlike login passwords, informati...

Citation Context

... attack. They suggest that password managers prevent the cross-domain submission of passwords (what we called action exfiltration in this paper), but do not consider stealth exfiltration. Fahl et al. =-=[16]-=- demonstrate attacks against Android password managers. However, their attacks were specific to the Android operating system, and most relied upon a malicious Android app, not a network attacker. Li e...

Citation Context

...reat model than the ones requiring physical access. Besides autofilling of passwords, several password managers also support autofilling of forms with information like name, phone no etc. Prior works =-=[15, 33, 21]-=- have shown that an attacker can steal autofilled information by using specially crafted forms. This is a different class of attack than the attacks on login forms as unlike login passwords, informati...

Citation Context

...clude: • Desktop Browser PMs: Google Chrome 34, Microsoft Internet Explorer 11, Mozilla Firefox 29, and Apple Safari 7. • 3rd Party PMs: 1Password [1], LastPass [29], Keeper [28], Norton IdentitySafe =-=[26]-=-, and KeePass [27]. All of these besides KeePass provide browser extensions that support password field autofill. Internet Explorer 11 uses a hybrid approach: it automatically autofills passwords on p...

Citation Context

...th could be extended to work with password managers as we describe in this paper. An early unpublished version of this paper, containing only a subset of the results, appears as a technical report in =-=[32]-=-. 7 Conclusions In this paper we surveyed a wide variety of password managers and found that they follow very different and inconsistent autofill policies. We showed how an evil coffee shop attacker c...

Citation Context

...reat model than the ones requiring physical access. Besides autofilling of passwords, several password managers also support autofilling of forms with information like name, phone no etc. Prior works =-=[15, 33, 21]-=- have shown that an attacker can steal autofilled information by using specially crafted forms. This is a different class of attack than the attacks on login forms as unlike login passwords, informati...

Citation Context

... trick the user into visiting his site, then launch the attack through the XSS vulnerability. This style of attack requires no access to the user’s networkand has been suggested previously by RSnake =-=[35]-=- and Saltzman et al. [38]. Leftover Passwords. The user’s password manager may contain leftover passwords from older, less secure versions of a site. An attacker could spoof the old site to steal the ...

Citation Context

... Embedded Devices II. Some home routers serve their login pages over HTTPS, but use are self-signed certificates. An attacker can purchase a valid certificate for the same common name as the router’s =-=[36]-=- or generate its own self signed certificate. When the user’s machine connects to the attacker’s network, the attacker can spoof the user’s home router by presenting a valid certificate for the router...

Citation Context

... al. proposed the ‘password booth’, a new secure browser-controlled mechanism to let users securely enter passwords that are not unaccessible from JavaScript running as part of the host page’s origin =-=[39]-=-. Their solution is similar to our secure filling defense, but does not take password managers into account. Secure filling takes advantage of password managers to provide guarantees the password boot...

Citation Context

...ting his site, then launch the attack through the XSS vulnerability. This style of attack requires no access to the user’s network and has been suggested previously by RSnake [36] and Saltzman et al. =-=[39]-=-. Leftover Passwords. The user’s password manager may contain leftover passwords from older, less secure versions of a site. An attacker could spoof the old site to steal the leftover password. Unless...

Citation Context

...imilar to our secure filling, but remains vulnerable to exfiltration using the action attribute. Although both bugs are several years old, neither has been acted upon. Password manager features: Aris =-=[2]-=- discusses the autocomplete attribute and why setting autocomplete=off results in poor security in addition to a bad user experience. Secure password authentication systems: Another related line of re...

Citation Context

...illed into these forms is not tied to any particular origin. However, for completeness, we summarize our findings about attacks against autofilling of regular forms in Appendix A. Some existing works =-=[17, 42]-=- have demonstrated how an attacker can use injected JavaScript to steal user’s stored passwords in a password manager for login pages that are either vulnerable to XSS attacks or are fetched over HTTP...

Citation Context

...tofill behavior is captured in the third and fourth columns of Table 1. Autocomplete attribute A website can use the autocomplete attribute to suggest that autocompletion be disabled for a form input =-=[43]-=-: <input autocomplete="off" ... > We find that Firefox, Mobile Safari, the default Android Browser, and the iOS version of Chrome respect the autocomplete attribute when it is applied to a password in...