Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Slides:



Advertisements
Similar presentations
Minnesota Registration and Certification (MR & C) History of Electronic systems January 1, 2010.
Advertisements

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Using LastPass CONFIDENTIAL.  Great password management is impossible w/o a great tool  Auto-fill (hands-free login) will save you approximately 1 hour.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
All Your Browser-saved Passwords Could Belong to Us - A Security Analysis and a Cloud-based New Design By Rui Zhao, Chuan Yue ACM Conference on Data and.
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
PASSWORD MANAGEMENT MADE EASY A Project Play Date - September 26, 2008 Beth Carpenter, Library Services Manager, Outagamie Waupaca Library System.
Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
It is a clinical search engine developed by Elsevier Health Books* - over 1,100 of Elsevier's medical and surgical reference books Journals* - over 500.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
Gaurav Aggarwal and Elie Bursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010) A N A NALYSIS OF P RIVATE B ROWSING M ODES IN M ODERN B ROWSERS 1.
Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.
Tips and Tricks Presented by the VPS Tech Team. BROWSER SUPPORT Jonathan Nogales.
Robust Defenses for Cross-Site Request Forgery
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
Accessing Extras Portal February 9, Finding Link to Extras Portal -The Extras Portal is accessed via the Expedient Extranet -Via the “Manage Extras”
2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.
Using LastPass. Great password management is impossible w/o a great tool Auto-fill (hands-free login) will save you approximately one hour per month You.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Cross-site request forgery Collin Jackson CS 142 Winter 2009.
When Good Standards Go Bad IETF 83 | March 25, 2012 Chris Weber, Casaba Security.
Employer Login Setup & Password Reset. The following information is available by either going to FFGA Marketing Sharepoint site at
1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.
Log on to Your user name will be the same as your current address except after sign you must enter “irs-mos.org”.
Sitecore Basic Training Drexel’s full-featured web content management system (CMS) Web Support Information Resources & Technology (IRT)
Fab25 User Training Cerium Labs LabCollector - LIMS Lynette Ballast.
Sitecore Basic Training Content Management System (CMS) University Communications Web Services
Securing the Human. Presented by Thomas Nee, Computer Coordinator Town of Hanover, Massachusetts hanover-ma.gov/information-technology October is Cyber.
CAESked Computer Aided Engineering Scheduler. Introduction Team Members: Chris Fruin & Jerry Grochowski What CAESked is: Web based class scheduling application.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
IT Security Awareness Day October 19, 2016
Javascript worms By Benjamin Mossé SecPro
Group 18: Chris Hood Brett Poche
Selenium HP Web Test Tool Training
WEB APPLICATION TESTING
Selenium HP Web Test Tool Training
Cross-Site Forgery
How to register and use ODMAP for Fire/EMS and other partners
Password Managers: Attacks and Defenses
OWASP WebGoat v5 16 April 2010.
AUTOFILL FORMS. Open Internet explorer browser.
Riding Someone Else’s Wave with CSRF
Powerschool for Parents
How to Set Secret Question ?.
User Registration.
Importing your Favorites/Bookmarks
Business Zone - Clearing your Cache
Exploring DOM-Based Cross Site Attacks
Getting Started With LastPass Enterprise
Presentation transcript:

Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security 20148/21/14

A tool for… 2 Convenience?Security? Goal: Both!

Password Manager Workflow 3 Password Manager Save manually entered password Autofill username and password Topic of this talk

Manual Autofill 4 Page Load User Interaction

Automatic Autofill 5 Page Load Convenient…but hard to make secure User Interaction

Should we autofill? 6 Automatic Autofill Corner Cases

Should we autofill? The contestants 7 Browser-based: Chrome 34Firefox 29Safari 7.0 IE 11 Android Browser 4.3 Third-party: LastPass 2.0 Norton IdentitySafe Password 4.5 KeePass 2.24 Keeper 7.5

Should we autofill? Different form action 8 HTTPS Automatic Autofill: At Save:Now: Alternatively, what if action is changed by JavaScript after autofilling? form.action = “ Alternatively, what if action is changed by JavaScript after autofilling? form.action = “

Should we autofill? Different form action 9 HTTPS Alternatively, what if action is changed by JavaScript after autofilling? form.action = “ Alternatively, what if action is changed by JavaScript after autofilling? form.action = “ Automatic Autofill: At Save: Now:

Should we autofill? Click through HTTPS warning 10 Automatic Autofill:

Should we autofill? iFrame not same-origin with parent 11 Automatic Autofill:

12 Sweep Attacks Stealing multiple passwords without user interaction

Threat Model: Coffee-shop Attacker Save Password for b.com Goal: Trick password manager into revealing b.com’s password Browse a.com

Obligatory Food Example 14

Redirect Sweep Attack on HTTP Login Page 15 GET papajohns.com REDIRECT att.com GET att.com att.com GET papajohns.com papajohns.com + attacker JS automatic autofill att.com password stolen!

16 Redirect Sweep Attack Demo (Fast)

17 Redirect Sweep Attack Demo (Slow)

HTTP Login Pages 18 Alexa Top 500* Login Pages408— Load Login Page over HTTP (submit over HTTP or HTTPS) 19447% *as of October 2013 HTTP pages trivially vulnerable to code injection by coffee shop attacker att.com vulnerable because it loads login page over HTTP (even though it submits over HTTPS)

Attacking HTTPS XSS Injection Active Mixed Content Trick user into clicking through HTTPS warning 19

Other sweep attacks (see paper) 20 iFrame sweep attack Window sweep attack

Sweep Attacks Vulnerability Automatic Manual 21 Vulnerable Not Vulnerable

Defending against sweep attacks 22

Defense #1: Manual Autofill as secure as manual entry Fill-and-Submit Still just one click for the user 23 Page Load Less convenient?

Can we do better? Security 24

Defense #2: Secure Filling more secure than manual entry Don’t let JavaScript read autofilled passwords Let form submit only if action matches action when password was saved (Site must submit form using HTTPS) Prototype implementation in Chromium (~50 lines) 25

Security More secure than manual entry 26

AJAX 10 sites out of Alexa Top 50* use AJAX to submit password forms Workarounds Submit form in iFrame Create browser SendPwd API 27 *as of October 2013

Disclosure Disclosed results to password vendors Warning when autofilling HTTPS passwords on HTTP pages Don't automatically autofill passwords in iFrames not same-origin with parent 28

Conclusions Automatic autofill has lots of corner cases Sweep Attacks: steal passwords without any user interaction Defenses Require user interaction before filling passwords Secure Filling Just as convenient for user but much more secure 29

Questions? 30

HTTP Login Pages 31 Alexa Top 500* Login Pages408— Load over HTTP, submit over HTTPS7117% Load and submit over HTTP12330% Load over HTTP19447% *as of October 2013

What about strength checkers? Only needed on registration forms Use JavaScript to read password field Don’t conflict with secure filling - password managers shouldn’t be filling existing passwords on registration forms 32

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.