Presentation Material
Abstract
We conduct a security analysis of five popular web-based password managers. Unlike “local” password managers, web-based password managers run in the browser. We identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure. To guide future development of password managers, we provide guidance for password managers. Given the diversity of vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers.
AI Generated Summary
This research presented a security analysis of five widely used web-based and browser-based password managers: LastPass, RoboForm, My1Login, PasswordBox, and NeedMyPassword. The study evaluated these products against three core security properties: master account security, resistance to unauthorized access or theft, and user privacy protection.
Four general classes of critical vulnerabilities were discovered across all products, with no product being fully secure against all four. First, bookmarklet-based implementations were found to be fundamentally insecure due to running in the untrusted context of a visited website. Attacks allowed an adversary to steal passwords for any site by tricking a user into clicking a malicious bookmarklet, exploiting parameters that lacked proper origin validation. Second, classic web vulnerabilities such as Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) were identified. A CSRF flaw in LastPass’s one-time password feature allowed an attacker to reset the victim’s password, gaining access to unencrypted metadata (usernames, URLs). Third, authorization flaws in password-sharing features were found. Both My1Login and PasswordBox failed to verify that a user requesting to share a credential actually owned it, instead only checking for a valid account. In PasswordBox’s case, sequential asset IDs enabled enumeration and theft of credential metadata, with some passwords stored unencrypted on the server. Fourth, user interface design in RoboForm’s bookmarklet flow trained users to enter their master password into an untrusted iframe on a phishing site, completely bypassing the manager’s phishing protection.
Mitigations discussed included isolating bookmarklet logic in iframes with strict postMessage targeting, implementing strong Content Security Policy (CSP) and universal CSRF tokens, avoiding sequential identifiers, and redesigning UI flows to mandate manual login in a new, verified window. A notable positive finding was that client-side encryption often limited the impact of server-side compromises by protecting password confidentiality.
The work concludes that while password managers remain a crucial solution to the authentication problem, the studied implementations exhibited a wide spectrum of serious security failures. The speaker advocates for a systematic, defense-in-depth approach to their development, emphasizing that their sensitivity demands the highest security standards.