The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

Zhiwei Li Warren He Devdatta Akhawe Dawn Song

Electrical Engineering and Computer Sciences University of California at Berkeley

Technical Report No. UCB/EECS-2014-138 http://www.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-138.html

July 7, 2014 Copyright © 2014, by the author(s). All rights reserved.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

Zhiwei Li, Warren He, Devdatta Akhawe, Dawn Song University of California, Berkeley

Abstract page, they also provide some protection against phish- We conduct a security analysis of five popular web-based ing attacks. Add cloud-based synchronization across de- password managers. Unlike “local” password managers, vices, and password managers promise tremendous se- web-based password managers run in the browser. We curity and usability benefits at minimal deployability identify four key security concerns for web-based pass- costs [10]. word managers and, for each, identify representative vul- Given these advantages, the popular media often ex- nerabilities through our case studies. Our attacks are se- tols the security advantages of modern password man- vere: in four out of the five password managers we stud- agers (e.g., CNET [11], PC Magazine [30], and New ied, an attacker can learn a user’s credentials for arbi- York Times [34]). Even technical publications, from trary websites. We find vulnerabilities in diverse features books [12, 36] to papers [21], recommend password like one-time passwords, bookmarklets, and shared pass- managers. A recent US-CERT publication [23] notes: words. The root-causes of the vulnerabilities are also di- [A Password Manager] is one of the best verse: ranging from logic and authorization mistakes to ways to keep track of each unique password misunderstandings about the web security model, in ad- or passphrase that you have created for your dition to the typical vulnerabilities like CSRF and XSS. various online accounts without writing them Our study suggests that it remains to be a challenge for down on a piece of paper and risking that oth- the password managers to be secure; password managers, ers will see them. in their current form, may not provide sufficient security for user secrets. To guide future development of pass- Unsurprisingly, users are increasingly looking towards word managers, we provide guidance for password man- password managers for relieving password fatigue. Last- agers. Given the diversity of vulnerabilities we identi- Pass, a web-based password manager that syncs across fied, we advocate a defense-in-depth approach to ensure devices, claimed to have over a million users in Jan- security of password managers. uary 2011 [27]. PasswordBox, launched in May 2013, claims to have over a million users in less than three 1 Introduction months [44]. It is a truth universally acknowledged, that password- Our work aims to evaluate the security of popular based authentication on the web is insecure. One pri- password managers in practice. While idealized pass- mary, if not the primary, concern with password authen- word managers provide a lot of advantages, implemen- tication is the cognitive burden of choosing secure, ran- tation flaws can negate all the advantages of an idealized dom passwords across all the sites that rely on pass- password manager, similar to previous results with other word authentication. A large body of evidence suggests password replacement schemes such as SSOs [42, 40]. users have—possibly, rationally [22]—given up, choos- We aim to understand the current state of password man- ing simple passwords and reusing them across sites. agers and identify best practices and anti-patterns to Password managers aim to provide a way out of this guide the design of current and future password man- dire scenario. A secure password manager could au- agers. tomatically generate and fill-in passwords on websites, Widespread adoption of insecure password managers freeing users from the cognitive burden of remembering could make things worse: adding a new, untested sin- them. Additionally, since password managers automati- gle point of failure to the web authentication ecosystem. cally fill in passwords based on the current location of the After all, a vulnerability in a password manager could

1 allow an attacker to steal all passwords for a user in a Alice a legitimate user single swoop. Given the increasing popularity of pass- Bob a legitimate collaborator word managers, the possibility of vulnerable password hunter2 an example password dropbox.com a benign web application managers is disconcerting and motivates our work. facebook.com a benign web application We conduct a comprehensive security analysis of five /login entry point (login page) for a web application popular, modern web-based password managers. We Mallory an attacker identified four key concerns for modern web-based pass- Eve an attacker evil.com a website controlled by an attacker word managers: bookmarklet vulnerabilities, “classic” dropbox.com The dropbox.com JavaScript code web vulnerabilities, logic vulnerabilities, and UI vulner- running in the browser abilities. Using this framework for our analysis, we stud- ied each password application and found multiple vulner- Figure 1: Naming convention used in the paper. URLs abilities of each of the four types. default to https unless otherwise specified. Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s cre- dentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, tally verified all our attacks in an ethical manner. We and shared passwords. The root-causes of the vulnerabil- reported all the attacks discussed below to the software ities are also diverse: ranging from logic and authoriza- vendors affected in the last week of August 2013. Four tion mistakes to misunderstandings about the web secu- out of the five vendors responded within a week of our rity model, in addition to vulnerabilities like CSRF and report, while one (NeedMyPassword) still has not re- XSS. sponded to our report. Aside from linkability vulnera- All the password manager applications we studied are bilities and those found in NeedMyPassword, all other proprietary and rely on code obfuscation/minification bugs that we describe in the paper have been fixed by techniques. In the absence of standard, cross-platform vendors within days after disclosure. None of the pass- mechanisms, the password managers we study imple- word managers had a bug bounty program. ment features like auto-fill, client-side encryption, and Organization. We organize the rest of the paper as one-time password in diverse ways. The password man- follows: Section 2 provides background on modern web- agers we study also lack a published security architec- based password managers and their features. We also ar- ture. All these issues combine to make analysis difficult. ticulate their security goals and explain our threat model Our main contribution is systematically identifying the in Section 2. Next, we present the four key sources of attack surface, security goals, and vulnerabilities in pop- vulnerabilities we used to guide our analysis (Section 3). ular password managers. Modern web-based password Section 4 presents our study of five representative pass- managers are complex applications and our systematic word managers, broken down by the source of vulnera- approach enables a comprehensive security analysis (in bilities (per Section 3). We provide guidance to password contrast to typical manual approaches). managers in Section 5. We present related work in Sec- Millions of users trust these vulnerable password man- tion 6 before concluding (Section 7). agers to securely store their secrets. Our study strikes a 2 Background note of caution: while in theory password managers pro- vide a number of advantages, it appears that real-world To start, we explain the concept of a password manager password managers are often insecure. and discuss some salient features in modern implemen- Finally, to guide future development of password man- tations. We also briefly list the password managers we agers, we provide guidance for password managers. We studied, identify the threat model we work with, and the identify anti-patterns that could hide more vulnerabili- security goals for web-based password managers. Here ties; architectural and protocol changes that would fix the and throughout this paper, we rely on a familiar naming vulnerabilities; as well as identify mitigations (such as convention (presented in Figure 1) to identify users, web Content Security Policy [14]) that could have mitigated applications, and attackers. some vulnerabilities. Our focus is not on finding fixes for the vulnerabilities we identified; instead, our guidance 2.1 A Basic Password Manager is broader and aims to reduce and mitigate any future At its core, a password manager exists as a database to vulnerabilities. Given the diversity of vulnerabilities we store a user’s passwords and usernames on different sites. identified, we believe a defense-in-depth approach has The password manager controls access to this database the best shot at ensuring the security of password man- via a master username/password. A secure password agers. manager, with a strong master password, ensures that a Ethics and Responsible Disclosure. We experimen- user can rely on distinct, unguessable passwords for each

2 web application without the associated cognitive burden word manager forwards the credential to Bob when Bob of memorizing all them. Instead, the user only has to requests it. Both Alice and Bob need accounts with the remember one strong master password. password manager. My1login even allows the password A password manager maintains a database of a user’s owner to set read/write permissions on the shared creden- credentials on different web applications. A web appli- tials, but the efficacy of these fine-grained controls is not cation is a site that authenticates its users by asking for a clear, since denying write access does not prevent a col- username/password combination. The web application’s laborator from going to the web application and changing “entry point” is the page where the application’s user can the account’s password. enter her username and password. We call the combina- Credential Encryption. Due to the particularly sen- tion of an entry point, username, and password a creden- sitive nature of the data handled by password managers, tial. A user can store multiple credentials for the same password managers aim to minimize the amount of web application, in which case a name distinguishes each code and personnel with access to the credentials in the (typically the username). clear. One common technique is encrypting the creden- Figure 2 (a) illustrates the general protocol of how a tial database on the user’s computer, thus preventing a user (Alice) uses a password manager (e.g., LastPass) to passive attacker at the server-side from accessing the cre- log in to a web application (e.g., Dropbox). Alice first dentials in plaintext. In web-based password managers, logs in to the password manager using her master user- this corresponds to using JavaScript to encrypt pass- name/password (her LastPass username and password), words on the client side (including pages on the pass- as shown in Step 1. . Then, in Step 2. , Alice retrieves word manager’s website, browser extensions, and book- her credential for dropbox.com. Finally, Alice uses this marklets). The password manager encrypts/decrypts the credential to log into dropbox.com in Step 3. and 4. . credential database using a key derivation function start- Since manually retrieving and sending credentials is ing from a user provided secret. If the password man- cumbersome, password managers may also automate the ager supports credential encryption, we call the encryp- process of selecting the appropriate credential and log- tion key the user’s master key. For example, LastPass ging in to the opened web application. This may include uses JavaScript to decrypt/encrypt the user’s credential navigating a web browser to the entry point, filling in database using a key derived from the user’s master user- some text boxes with the username/password, and sub- name and password. mitting the login form. Since these tasks involve execut- Login Bookmarklets. As discussed above, password ing code inside the web application, password managers managers typically rely on browser extensions to im- often rely on a privileged browser extension or a book- plement auto-fill and auto-login functionality. Unfortu- marklet for the same. nately, users can only install these in a browser that sup- ports extensions. With the popularity of mobile devices 2.2 Features in Modern Password Man- whose browsers lack support for extension APIs (e.g., agers Mobile Safari or Internet Explorer), password managers Modern password managers provide a number of conve- have adopted a more portable solution by providing a nience and security features that are relevant to a security bookmarklet. A bookmarklet is a snippet of JavaScript analysis. We briefly elucidate three below. code that installs as a bookmark, which, instead of navi- gating to a URL when activated, runs the JavaScript snip-

User User Collaborator pet in the (possibly malicious) context of the current page ① ③ (e.g., evil.com). This allows the password manager to ① ② interact with a login form using widely supported book- ② ④ marking mechanisms. Manager Application Manager 2.3 Representative Password Manager Ap- (a). authentication to a web application (b). sharing with a collaborator plications Figure 2: Different parties in a password manager To evaluate the security of modern password managers, scheme we studied a representative sample of five modern pass- word managers supporting a diverse mix of features. Collaboration. Modern password managers include Table 1 provides an overview of their features. The the ability to share passwords with a collaborator. Fig- columns “Extension” and “Bookmarklet” indicate sup- ure 2 (b) illustrates the general protocol of how a user Al- port for login automation through the particular mecha- ice shares a credential of hers with a collaborator Bob. In nism; “Website” indicates the presence of a web-based Step 1. , Alice requests that the password manager share account management interface; and “Credential Encryp- a specified credential with Bob. In Step 2. , the pass- tion” and “Collaboration” refer to the features described

3 n e evr efcsol ntewbbsdRbFr (Every- RoboForm web-based the us- on devices only software. across focus where) sync We not server. does web a and ing computer single a on credentials or website cre- her RoboForm access the can through user directly The Robo- files to clear. dential sent the are in files servers credential Form to these password files, master a the creates protect user the Unless files. the for “drop- for credentials uses saving when RoboForm dropbox.com applica- filename default web example, the the as For box” after has default) tuple) domain. (by point tion’s named entry file own and its password, username, [ (i.e., manager word [ (Everywhere) RoboForm 2.3.2 other. passwords each share with to users the allows also on and encrypted servers LastPass database credential website. the LastPass stores the LastPass through through directly extension, access or LastPass bookmarklet, can a the users using credentials LastPass their authentication. and passwords, two-factor one-time bookmarklets, as includes such and features platforms mobile/desktop and browsers ma- all jor nearly supports It available. applications manager users. million one is over had It LastPass 2013, [ for Magazine browsers. manager PC password and both Choice Editors’ systems and operating top-rated for the major desktops and the tablets, all phones, on available manager [ LastPass 2.3.1 encrypted. fields the and function encryption, dential in atasi n ftems ulfaue password full-featured most the of one is LastPass 1 eto 2.2 Section ooom(eko)i eso fRbFr htol stores only that RoboForm of version a is (Desktop) RoboForm LastPass RoboForm KDF(p,s,c,l) ph mu 26 passphrase : atrusername master : sapplr wr-inn password award-winning popular, a is ] o asodmngr uprigcre- supporting managers password For . h srcnas hoeabtaynames arbitrary choose also can user The . 30 NeedMyPassword PasswordBox My1login RoboForm LastPass al 1 Table sakydrvto ucin[ function derivation key a is ]. 30 1 n NT[ CNET and ] nRbFr,ec credential each RoboForm, In 35 lolssterkyderivation key their lists also saohrtprtdpass- top-rated another is ] mp ph even atrpassword master : ✓ ✓ ✓ × × ( al 1: Table odd

11 Bookmarklet ) ✓ ✓ ✓ hrcesa vn(d)pstosof positions (odd) even at characters : × × .A fAugust of As ]. 25 Extension ,wihdrvskyo length of key derives which ], ✓ ✓ ✓ ✓ × ito asodMngr Studied. Managers Password of List Website MD5( KDF( KDF( atrKyDerivation Key Master ph mp mp even , , mu mu 4 )+MD5( ,10000,32) ,5000,32) omnfaue uha uolgn rdnilsharing, credential auto-login, as such features common 2.3.5 [ PasswordBox 2.3.4 because further ( this My1login in on flaw 4.1.3 severe tion comment more simpler, not a do found we We 256- a generate key. to odd passphrase bit of the of other hash characters MD5 even to and the contrast al- concatenates In PBKDF My1login standard gorithm, the up. use which special sets managers, a user password with the server-side that all the passphrase stores at My1login appli- credentials encrypted of web accounts. credentials sharing My1login a supports two via between also credentials My1login access can cation. exten- Users browser any provide sions. not does and a on bookmarklets on exclusively For relies based My1login was service. compatibility, consumer-facing study maximum their Our of version 2013. then-beta May in prod- business-targeted launched special uct a launched started it manager, 2012; password April in web-based a is My1login 2.3.3 bookmarklet. or extension RoboForm the via ial,w losuidabscpswr manager password basic a studied [ NeedMyPassword named also we Finally, the and salt. the PBKDF2 as of username iterations PasswordBox 10000 using 256-bit derived a using key passwords all browser encrypts and a credentials users sharing between install allows to also PasswordBox users requires extension. it instead, book- support marklets; not does earlier, discussed managers word [ over users Maga- attracted million had PC one PasswordBox both 2013, May by in inception rated highly [ is zine 2013, in launched rdnilEncryption Credential l cesfrtepassword the for octets ph ph 30 odd PasswordBox My1login NeedMyPassword n NT[ CNET and ] ) . ) × × srae n passwords and usernames passwords and usernames 33 nrpe Fields Encrypted asod only passwords ,awbbsdpswr aae that manager password web-based a ], 44 p h salt the , .PswrBx nieohrpass- other unlike PasswordBox, ]. 11 .Wti he otso its of months three Within ]. 32 s n h trto count iteration the and , .NeMPswr lacks NeedMyPassword ].

× ✓ ✓ × ✓ Collaboration c . Sec- and password generation. Instead, it provides only cre- the client-side. dential storage, accessible through the NeedMyPassword Credential Database Security. The main responsi- website. User credentials are not encrypted before send- bility of a password manager is securely storing the list ing to NeedMyPassword servers. of a user’s credentials. A password manager needs to ensure the security—including confidentiality, integrity, 2.4 Threat Model and availability—of the credential database. The at- Our main threat model is the web attacker [2]. Briefly, a tacker, Eve, should not be able to learn Alice’s creden- web attacker controls one or more web servers and DNS tials, which would allow Eve to log in as Alice; or modify domains and can get a victim to visit domains controlled credentials, which would allow Eve to carry out a form of by the attacker. We believe this is the key threat model login CSRF attacks; or delete credentials, which would for web-based password managers that often run in the allow Eve to carry out a denial-of-service attack on Al- browser. For our study, we extend this model a bit: the ice. user may create an account on the attacker’s web appli- Collaborator Integrity. The collaboration, or shar- cation and use the password manager for managing the ing, feature in modern password managers complicates credentials for the same. Our threat model allows the credential databases. Now, each credential has an access- victim to rely on the password manager’s extension, the control list identifying the list of users allowed to read- bookmarklet, and website as she sees fit. The attacker /write the credential. A password manager must ensure can also create accounts in the password manager service the security of this feature: e.g., flaws in this feature and make requests to the password manager directly. could allow an attacker to learn a user’s credential. While The password manager’s code often runs in a web ap- we realize that these goals are a subset of the broader plication’s origin (via an extension or a bookmarklet). goal of credential database security (above), we sepa- We assume that the password manager’s code is not ma- rated them out to highlight the security concerns of the licious and does not steal sensitive data from web ap- sharing credentials feature. plications. We also assume that the password manager Unlinkability. The use of a password manager should does not share Alice’s credentials with user Bob, unless not allow colluding web applications to track a single asked to do so by Alice. Additionally, we assume that user across websites, possibly due to leaked identifiers. the user uses a unique password for the password man- We use the Bonneau et al.’s definition of unlinkabil- ager and does not share it with other applications such as ity [10]: a password manager violates unlinkability if evil.com. it allows tracking a user across web applications even in the absence of other techniques like web fingerprint- 2.5 Security Goal ing [16]. For example, a privacy-minded user could rely At a high level, a password manager only has one key on different browsers or computers to foil web browser security invariant: ensure that a stored password is ac- fingerprinting; a password manager should not add a re- cessed only by the authorized user(s) and the website the liable fingerprinting mechanism that makes that effort password is for. We discuss how password managers (at- moot. Such a fingerprinting mechanism would violate tempt to) achieve this invariant by following four security the user’s privacy expectations. Equivalently, relying on goals. A related taxonomy appears in Bonneau et al.’s a password manager should not allow a web application analysis of general web authentication schemes [10], but to link two accounts owned by the user with the (same) ours is a bit different since we focus exclusively on web- web application. based password managers. Nonetheless, all our goals 3 Attack Surface map to goals mentioned in Bonneau et al.’s work. As we present in Section 4, we found attacks that violate The key difference between web-based password man- all of the security goals identified below and range from agers and “local” password managers is their need to complete (password manager) account takeover to pri- work in web browsers. Web-based password managers vacy violations. store credentials in the cloud and a user logs on to the Master Account Security. The first goal of password manager to retrieve his/her credentials. Access to the manager application is the integrity of the master ac- stored credentials is via extensions, a website, or even count. It should be impossible for an attacker to authen- bookmarklets—all of which run in the browser. ticate as the user to the password manager. It is crucial To guide our investigation, we identified four key con- that the password manager maintain the security of the cerns for modern web-based password managers: book- master account and safeguard credentials such as mas- marklet vulnerabilities, classic web vulnerabilities, au- ter password and cookies. In case of password managers thorization vulnerabilities, and UI vulnerabilities. We that encrypt credentials, the master key/password used to discuss each in turn below. In the next section, we will encrypt the credential database should always remain at present representative vulnerabilities of each type.

5 3.1 Bookmarklet Vulnerabilities thorized. Confusing authentication for authorization is a JavaScript is a dynamic, extensible language with deep classic security vulnerability, one that we find even pass- support for meta-programming. The bookmarklet code, word managers make (Section 4). We separate out au- running in the context of the attacker’s JavaScript con- thorization vulnerabilities from web vulnerabilities since text cannot trust any of the APIs available to typical web they are often due to a missing check at the server-side. applications—an attacker could have replaced them with For example, all our authorization vulnerabilities involve malicious code. Relying too much on these APIs has cre- requests made by an attacker from his own browser, not ated a class of vulnerabilities unique to web-based pass- via Alice’s browser (when Alice visits evil.com). word managers. 3.4 User Interface Vulnerabilities To fill in a password on (say) dropbox.com, a pass- word manager needs to successfully authenticate a user, A major benefit of password managers is their ability to download the (possibly encrypted) credential, decrypt it mitigate phishing attacks. Users do not actually mem- (if necessary), authenticate the web application, and, fi- orize the password for a web application; instead, they nally, perform the login. Doing all this in an untrusted rely on the password manager to detect which applica- website’s scripting environment (as a bookmarklet does) tion is open and fill in the right password. The logic that is tricky. In fact, three of the five password managers we performs this is impervious to phishing attacks: it will studied (Table 1) provide full-fledged bookmarklet sup- only look at the URL to determine which credential to port, and all of them were vulnerable to attacks ranging use. from credential theft to linkability attacks (Section 4). These advantages are moot if the password manager Browser extensions, which modified the webpage, itself is vulnerable to phishing attacks. Even worse, in faced a similar problem in the past. Currently, both Fire- the case of password managers, a single phishing attack fox and Chrome instead provide native or isolated APIs can expose all of a user’s credentials. Thus, we believe for browser extensions. Unfortunately, popular mobile it behooves password managers to take extra precau- browsers, including Safari on iOS, Chrome on Android/i- tions against phishing attacks. While it is possible that Phone, and the stock Android Browser, do not support password managers are susceptible to classic phishing extensions. As a result, web-based password managers attacks, we focus on anti-patterns that make password often rely on bookmarklets instead. managers more vulnerable than the typical website. For example, consider what happens when a user 3.2 Web Vulnerabilities clicks on a password manager’s bookmarklet while not A password manager runs in a web browser, where logged in to the password manager. A simple option it must coexist with the web applications whose pass- is asking the user to login in an iframe. Unfortunately, words it manages as well as other untrusted sites. Un- this is trivial for the attacker to intercept and replace the fortunately, relying on the web platform for a security- iframe with a fake dialog. Since users cannot see the sensitive application such as password managers is URL of an iframe, there is no way for a user to identify fraught with challenges. whether a particular iframe actually belongs to the pass- Web-based password manager developers need to un- word manager and is not spoofed. We argue that this is derstand the security model of the web. For exam- an anti-pattern that password managers should avoid. ple, browsers share authentication tokens such as cook- 4 Security Analysis of Web-based Pass- ies across applications (including across applications and word Managers extensions), leading to attacks such as cross-site request forgery (CSRF). Applications running in the browser Next, we report the results of our security analysis of five runtime also need to sanitize all untrusted input before popular password managers. We organize our results per inserting it into the document; insufficient sanitization the discussion in Section 3. Table 2 summarizes the vul- could lead to cross-site scripting attacks, which in the nerabilities we found. Our discussion below highlights web security model implies a complete compromise. the presence of different types of security vulnerabili- ties in web-based password managers. We do not present 3.3 Authorization Vulnerabilities complete architectural details of each password manager; Sharing credentials increases the complexity of securing instead, we only provide enough technical details to un- password managers. While previously, each credential derstand each vulnerability. was only accessible by its owner, now each credential needs an access control list. Any user could potentially 4.1 Bookmarklet Vulnerabilities access a credential belonging to Alice, if Alice has autho- As discussed earlier, a bookmarklet allows a user of a rized it. A password manager needs to ensure that all ac- password manager to log in to web applications with- tions related to sharing/updating credentials are fully au- out needing to install any extension, a particularly useful

6 Bookmarklet Web Authorization User Interface Vulnerabilities Vulnerabilities Vulnerabilities Vulnerabilities LastPass ✓(§ 4.1.1) ✓(§ 4.2.1) ✓(§ 4.4) RoboForm ✓(§ 4.1.2) ✓(§ 4.2.2) NA ✓(§ 4.4) My1login ✓(§ 4.1.3) ✓(§ 4.3.1) PasswordBox NA ✓(§ 4.3.2) NA NeedMyPassword NA ✓(§ 4.2.3) NA NA

Table 2: Summary of Vulnerabilities Discovered. NA identifies vulnerabilities not applicable to the particular password manager because it does not provide the relevant functionality.

feature with mobile browsers that lack extension support. Alice dropbox.com _LASTPASS_RAND|h Three of the password managers we studied—LastPass, 1 Bookmarklet Click LastPass RoboForm, and My1login—provide access to creden- u = dropbox.com h|u 2 tials and auto-fill functionality using bookmarklets. In GET bml.php?v ref|rh|h|u fact, My1login only provides bookmarklet for auto-fill 3 support, advertising it as a feature (“No install needed”). ref|rh|h|u 4 We found critical vulnerabilities in all three book- GET bml.php?iframe marklets we studied. If a user clicks on the bookmarklet Alice on an attacker’s site, the attacker, in all three cases, learns lastpass.com (iframe) iframe ref|rh|h|u credentials for arbitrary websites. . 5 While in 2009 Adida et al. identified attacks on pass- word manager bookmarklets [1], our study indicates that ref|rh|h|u 6 these issues still plague password managers. This is par- GET bml.php?payload ticularly a cause of concern given the popularity of mo- 1. check cookies and h alice|d| 2. extract d and bile devices that lack full-fledged support for extensions. key_rand_encrypted key_rand_encrypted 7 4.1.1 Case Study: LastPass Bookmarklet getrand 8 PostMessage LastPass stores the credential database on the _LASTPASS_RAND 9 lastpass.com servers encrypted with a master_key, PostMessage which is a 256-bit symmetric key derived from the user’s extract the credential for u from d, alice, _LASTPASS_RAND, and key_rand_encrypted master username and master password. The LastPass credential 10 client-side code never sends the master password or PostMessage master key to the LastPass servers. Recall that a bookmarklet runs in the context of the (possibly malicious) web application. At the same time, Figure 3: LastPass: Automatic login using bookmarklet. due to LastPass’s credential encryption, the bookmarklet u is the domain on which Alice clicked on the book- needs to include the secret master_key (or a way to marklet. get to it), to decrypt the credential database. Including this secret in the bookmarklet, while still keeping it se- cret from the web application, is tricky. LastPass also lows Alice to revoke this bookmarklet in the future by provides the ability to revoke a previously created book- just deleting the corresponding h and encrypted master marklet, further complicating this feature. key from the LastPass servers. Installing a Bookmarklet. A user, Alice, wish- Using the Bookmarklet. Figure 3 illustrates how ing to install a bookmarklet needs to create a special Alice uses her LastPass bookmarklet to log in to link through her LastPass settings page. On Alice’s re- dropbox.com. At the Dropbox entry point, Alice clicks quest, the LastPass page code creates a new random on her LastPass bookmarklet, which includes the token value _LASTPASS_RAND and encrypts the master_key _LASTPASS_RAND and h. The bookmarklet code first with it, all within Alice’s browser. The LastPass checks the current page’s domain and adds a script el- servers then store this encrypted master key (called ement to the page sourced from lastpass.com. The key_rand_encrypted) and an identifier h along with request for the script element (Step 2 in Figure 3) sends Alice’s credential database. The page then creates a h and the web application domain dropbox.com as pa- JavaScript snippet containing _LASTPASS_RAND and h, rameters h and u. LastPass checks h and if the parameter which Alice can save as a bookmark. This design al- is valid (i.e., Alice has not revoked the bookmarklet), re-

7 Mallory Alice evil.com LastPass Linkability Attack. Finally, we note that _LASTPASS_RAND|h 1 Bookmarklet Click the h and _LASTPASS_RAND remain the same across LastPass ref|rh|h|u 2 browsers but differ by user. As discussed above, any GET bml.php?payload u = dropbox.com 1. check cookies and h website where the user clicks the bookmarklet can learn ref = u 2. extract d and these pseudo-identifiers h and _LASTPASS_RAND [1]. alice|d|key_rand_encrypted key_rand_encrypted 3 This allows colluding websites to track a user, violating extract the credential for u from d, alice, _LASTPASS_RAND, and key_rand_encrypted the user’s privacy expectations [10]. Additionally, this also allows a single website to identify and link multiple accounts belonging to the same user, which violates the Figure 4: Attack on LastPass bookmarklet based auto- unlinkability goal. login. The rh,h values are random; u and ref identify 4.1.2 Case Study: RoboForm Bookmarklet the Malloy’s target website. RoboForm also implements a bookmarklet feature, which allows a RoboForm user to log in to web appli- sponds with a JavaScript file containing the additional cations without installing the RoboForm extension. At a parameters ref and rh. high level, the RoboForm bookmarklet adds an iframe to Next, the newly fetched JavaScript file creates the web application login page. If Alice is already au- an iframe to lastpass.com using four parame- thenticated to RoboForm, the iframe just presents a list ters: ref,rh,h,u. This iframe includes a script of valid credentials (RoboForm files) that Alice can use located at lastpass.com/bml.php?u=dropbox.com to log in to the web application. that, when downloaded, includes the encrypted mas- ter key key_rand_encrypted and the credential for 1 javascript : (function (a, d, e) { var c = function () { dropbox.com encrypted with the master key. The iframe 3 return ”function”===typeof a.srf7&&(a.srf7(e )||!0) then receives the bookmarklet’s _LASTPASS_RAND value }, f = function (a) { 5 ... via a postMessage call, decrypts the dropbox.com cre- }; dential and sends them back. 7 c() || f (a.document) })(top. self ||window,”online.roboform.com/rfjs/main.js”, Vulnerability. The resource at 9 ”d147b223873cbfca22bc66768db512b1”) bml.php?u=dropbox.com (Step 6 Figure 3) is at a pre- Listing 1: RoboForm Bookmarklet code. dictable URI and contains sensitive information. It pro- vides the encrypted master key key_rand_encrypted and the credential for dropbox.com. The same-origin Technical Details. Figure 5 illustrates the RoboForm policy allows an attacker to include a script from any protocol if Alice, already logged in to RoboForm, clicks origin and execute it in the attacker’s webpage. on the bookmarklet to log in to dropbox.com. When LastPass Bookmarklet Attack. Figure 4 illustrates Alice clicks the RoboForm bookmarklet, the JavaScript how a malicious web application evil.com can steal snippet in Listing 1 executes in the current page. The Alice’s credential for dropbox.com. When Alice vis- hexadecimal number d147... (Line 9) is unique to Al- its the attacker’s site evil.com and clicks her LastPass ice; we will refer to it as rf_uid. The bookmarklet bookmarklet, the attacker uses any of a number of hijack code downloads a RoboForm script that creates an iframe techniques [1, 8] (e.g., Function.toSource) and ex- to roboform.com/rfjs/authform.php (Step 2, Fig- tracts both h and _LASTPASS_RAND. Then, the attacker ure 5). The iframe URL also includes two GET param- imitates Step 6 from Figure 3 (as Step 2 here) by writ- eters: rf_referrer_url, the URL of the web applica- ing a