Andrés Fábrega, Armin Namavari, and Rachit Agarwal, Cornell University; Ben Nassi, Cornell Tech, Technion - Israel Institute of Technology; Thomas Ristenpart, Cornell University, Cornell Tech
This work explores injection attacks against password managers. In this setting, the adversary (only) controls their own application client, which they use to ''inject" chosen payloads to a victim's client via, for example, sharing credentials with them. The injections are interleaved with adversarial observations of some form of protected state (such as encrypted vault exports or the network traffic received by the application servers), from which the adversary backs out confidential information. We uncover a series of general design patterns in popular password managers that lead to vulnerabilities allowing an adversary to efficiently recover passwords, URLs, usernames, and attachments. We develop general attack templates to exploit these design patterns and experimentally showcase their practical efficacy via analysis of ten distinct password manager applications. We disclosed our findings to these vendors, many of which deployed mitigations.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Andr{\'e}s F{\'a}brega and Armin Namavari and Rachit Agarwal and Ben Nassi and Thomas Ristenpart},
title = {Exploiting Leakage in Password Managers via Injection Attacks},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {4337--4354},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/fabrega},
publisher = {USENIX Association},
month = aug
}
