Protecting users against XSS-based password manager abuse

To ease the burden of repeated password authentication on multiple sites, modern Web browsers provide password managers, which offer to automatically complete password fields on Web pages, after the password has been stored once. Unfortunately, these managers operate by simply inserting the clear-text password into the document's DOM, where it is accessible by JavaScript. Thus, a successful Cross-site Scripting attack can be leveraged by the attacker to read and leak password data which has been provided by the password manager. In this paper, we assess this potential threat through a thorough survey of the current password manager generation and observable characteristics of password fields in popular Web sites. Furthermore, we propose an alternative password manager design, which robustly prevents the identified attacks, while maintaining compatibility with the established functionality of the existing approaches.

[1]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[2]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[3]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[4]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[5]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[6]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[7]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[8]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[9]  Dan Boneh,et al.  Kamouflage: Loss-Resistant Password Management , 2010, ESORICS.

[10]  David Sands,et al.  Safe Wrappers and Sane Policies for Self Protecting JavaScript , 2010, NordSec.

[11]  Nicolas Christin,et al.  A Comparative Usability Evaluation of Traditional Password Managers , 2010, ICISC.

[12]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[13]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[14]  Dirk Fox,et al.  Cross Site Scripting (XSS) , 2012, Datenschutz und Datensicherheit - DuD.

[15]  Kasper Bonne Rasmussen,et al.  On the Security of Password Manager Database Formats , 2012, ESORICS.

[16]  Eric Yawei Chen,et al.  Automated Password Extraction Attack on Modern Password Managers , 2013, ArXiv.

[17]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[18]  Rui Zhao,et al.  All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design , 2013, CODASPY '13.

[19]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[20]  Stefan Katzenbeisser,et al.  Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , 2016, CCS.