TY - GEN
T1 - Exploiting Leakage in Password Managers via Injection Attacks
AU - Fábrega, Andrés
AU - Namavari, Armin
AU - Agarwal, Rachit
AU - Nassi, Ben
AU - Ristenpart, Thomas
N1 - Publisher Copyright:
© USENIX Security Symposium 2024.All rights reserved.
PY - 2024/1/1
Y1 - 2024/1/1
N2 - This work explores injection attacks against password managers. In this setting, the adversary (only) controls their own application client, which they use to “inject” chosen payloads to a victim's client via, for example, sharing credentials with them. The injections are interleaved with adversarial observations of some form of protected state (such as encrypted vault exports or the network traffic received by the application servers), from which the adversary backs out confidential information. We uncover a series of general design patterns in popular password managers that lead to vulnerabilities allowing an adversary to efficiently recover passwords, URLs, usernames, and attachments. We develop general attack templates to exploit these design patterns and experimentally showcase their practical efficacy via analysis of ten distinct password manager applications. We disclosed our findings to these vendors, many of which deployed mitigations.
AB - This work explores injection attacks against password managers. In this setting, the adversary (only) controls their own application client, which they use to “inject” chosen payloads to a victim's client via, for example, sharing credentials with them. The injections are interleaved with adversarial observations of some form of protected state (such as encrypted vault exports or the network traffic received by the application servers), from which the adversary backs out confidential information. We uncover a series of general design patterns in popular password managers that lead to vulnerabilities allowing an adversary to efficiently recover passwords, URLs, usernames, and attachments. We develop general attack templates to exploit these design patterns and experimentally showcase their practical efficacy via analysis of ten distinct password manager applications. We disclosed our findings to these vendors, many of which deployed mitigations.
UR - http://www.scopus.com/inward/record.url?scp=85204954052&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85204954052
T3 - Proceedings of the 33rd USENIX Security Symposium
SP - 4337
EP - 4354
BT - Proceedings of the 33rd USENIX Security Symposium
PB - USENIX Association
T2 - 33rd USENIX Security Symposium, USENIX Security 2024
Y2 - 14 August 2024 through 16 August 2024
ER -