Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password Managers: Attacks and Defenses

Published byDeirdre Bryant Modified over 6 years ago

Similar presentations

Presentation on theme: "Password Managers: Attacks and Defenses"— Presentation transcript:

1 Password Managers: Attacks and Defenses
David Silver , Suman Jana , Dan Boneh , Eric Chen , Collin Jackson Presenter: Wenting Tan Date: Oct 20/ 2014 Computer Science Department, College of William&Mary Adapted from Author’s original slides

2 PM is a tool for… Convenience? Security? Goal: Both!

3 Password Manager Workflow
Topic of this talk Autofill username and password Save manually entered password

4 Outlines Survey variety of PMs Attacks Defenses
Conclusions & Discussion

5 Manual Autofill Page Load User Interaction

6 Convenient…but hard to make secure
Automatic Autofill Page Load User Interaction Convenient…but hard to make secure

7 Automatic Autofill Corner Cases
Should we autofill? Automatic Autofill Corner Cases

8 Should we autofill? The contestants
Browser-based: Android Browser 4.3 Chrome 34 Firefox 29 Safari 7.0 IE 11 Third-party: 1Password 4.5 LastPass 2.0 KeePass 2.24 Keeper 7.5 Norton IdentitySafe 2014

9 Should we autofill? Form action
A form’s action specifies where the form’s contents will be sent to upon submission

10 Should we autofill? Different form action
At Save: Now: <form action=“login.php"> <form action=“ Automatic Autofill: HTTPS Action is changed by JavaScript after autofilling. form.action = “ 7/10

11 Should we autofill? Click through HTTPS warning
Automatic Autofill:

12 Should we autofill? iFrame not same-origin with parent
Automatic Autofill:

13 Outlines Survey variety of PMs Attacks Defenses
Conclusions & Discussion

14 Stealing multiple passwords without user interaction
Sweep Attacks Stealing multiple passwords without user interaction

15 Threat Model: Coffee-shop Attacker
1. 2. Save Password for b.com Browse a.com Goal: Trick password manager into revealing b.com’s password

16 Obligatory Food Example

17 Redirect Sweep Attack on HTTP Login Page
GET papajohns.com REDIRECT att.com GET att.com + attacker JS att.com automatic autofill att.com password stolen! GET papajohns.com papajohns.com

18 Redirect Sweep Attack Demo (Fast)

19 Redirect Sweep Attack Demo (Slow)

20 Load Login Page over HTTP (submit over HTTP or HTTPS)
HTTP Login Pages Alexa Top 500* Login Pages 408 Load Login Page over HTTP (submit over HTTP or HTTPS) 194 47% HTTP pages trivially vulnerable to code injection by coffee shop attacker att.com vulnerable because it loads login page over HTTP (even though it submits over HTTPS) *as of October 2013

21 Attacking HTTPS XSS Injection [18] Cross-site scripting vulnerability
JavaScript modify pages Active Mixed Content [24] Trick user into clicking through HTTPS warning

22 Other sweep attacks (see paper)
iFrame sweep attack Inject in iFrames Window sweep attack e.g. the landing page -> victim pages in a separate window (JavaScript disguise) Login form JavaScript

23 Sweep Attacks Vulnerability
Vulnerable Automatic Manual Not Vulnerable

24 Outlines Survey variety of PMs Attacks Defenses
Conclusions & Discussion

25 Defending against sweep attacks

26 Defense #1: Manual Autofill as secure as manual entry
Page Load Less convenient? Fill-and-Submit Still just one click for the user

27 Can we do better? Security

28 Defense #2: Secure Filling more secure than manual entry
Don’t let JavaScript read autofilled passwords Let form submit only if action matches action when password was first saved (Site must submit form using HTTPS) Prototype implementation in Chromium (~50 lines)

29 More secure than manual entry
Security

30 Limitations of Secure Filling…

31 AJAX 10 sites out of Alexa Top 50* use AJAX to submit password forms
Using JavaScript to read the form fields Workarounds Submit form in iFrame Browser provide additional API -> allows JavaScript to submit the password without being able to read *as of October 2013

32 Disclosure Disclosed results to password vendors
Warning when autofilling HTTPS passwords on HTTP pages Don't automatically autofill passwords in iFrames not same-origin with parent

33 Server-side Defenses Use HTTPS on both login page and submission page
Make login page JavaScript ineffective Host the login page in a different subdomain that the rest of the site.

34 Outlines Survey variety of PMs Attacks Defenses
Conclusions & Discussion

35 Conclusions Automatic autofill has lots of corner cases
Sweep Attacks: steal passwords without any user interaction Defenses Require user interaction before filling passwords Secure Filling Just as convenient for user but much more secure

36 Questions & Discussions
Websites may change actions “Secure Filling” works? How frequently sites change? Any other idea to make PM secure?

37

38 Back Up Slides

39 HTTP Login Pages Alexa Top 500* Login Pages 408 —
Load over HTTP, submit over HTTPS 71 17% Load and submit over HTTP 123 30% Load over HTTP 194 47% *as of October 2013

40 What about strength checkers?
Only needed on registration forms Use JavaScript to read password field Don’t conflict with secure filling - password managers shouldn’t be filling existing passwords on registration forms

Download ppt "Password Managers: Attacks and Defenses"

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.

Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.

Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
File Upload Instructions and Information The File Upload utility is used for transferring files too large to send through the email system. How it Works:

File Upload Instructions and Information The File Upload utility is used for transferring files too large to send through the system. How it Works:
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18, 2013 1.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

Similar presentations

Ads by Google