Browser stored personal information there for the taking: Report

Discussion in 'other security issues & news' started by itman, Mar 6, 2018.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    https://www.scmagazine.com/browser-...n-there-for-the-taking-report/article/748932/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have never understood why browsers don't offer an advanced password manager that isn't easily hacked.
     
  3. 142395

    142395 Guest

    Firefox offers master password and if user use it, credentials are encrypted. You can also set how long and how often they'll be locked/not locked so that you're safe even when the browser is partially compromised. But if it is compromised while the DB is open, you're toast.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    It will be interesting to see how/if the browser-based master password, or the equivalent in things like LastPass, is going to be protected in the days of Meltdown/Spectre. This is the main threat for in-process memory sniffing, and the problem is that most of the time, the master password would normally be in memory.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Does this mean that password recovery tools like the ones from Nirsoft won't be able to decrypt the browser stored passwords?
     
  6. 142395

    142395 Guest

    Maybe we should move to this thread. But basically these recovery tool use bruteforce (other than target specific technique such as pass-the-hash, you know.) so it all depends on how strong password you set.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Will do a bit of testing. Perhaps Windows should give an option to securely store all browser passwords with the Windows Credentials feature. And you should be able to block all non-authorized apps from getting access to this vault. This way you can block password stealers like Pony.

    https://www.digitalcitizen.life/cre...-windows-stores-passwords-other-login-details
    https://www.knowbe4.com/pony-stealer
     
  8. 142395

    142395 Guest

    Well, even if passwords are stored in place separated from OS, it finally have to be passed to browser or email app or VPN app etc. and then it can be stolen. So you also need to block access to these programs. But attacker still may abuse legitimate processes so you need to block code injection and script abuse, But if you can do all of them, why such malware was installed in the first place...
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes of course, there's always some way, but the aim should be to makes things harder. Perhaps the Windows Credentials manager can also be run inside a sandboxed process which will block all inter-process communication. It would definitely block password stealers who simply look for passwords inside the file system and registry.
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    There are a number of schemes for secure string/password storage offered by things like DPAPI, and these are not specifically linked to Windows sandboxing. The latter being a complicated set of facilities depending on the OS platform you're on. It's not straightforward to add more advanced process isolation to .net programs at all, though it's a bit easier on UWP apps.

    It's also not straightforward to ensure that the exposure of secrets in memory is minimized in .net programs - while you can zero out byte arrays, for other things like strings, the garbage disposal cannot be guaranteed, and you have no control over what various libraries you use are doing under the hood.

    My view is that this stuff should always have been essentially data driven as far as RBAC type capabilities required by the program, embedded in the manifest, and then provide the ability to mark variables with attributes to tell the compiler and run-time that this variable has to be treated in particular ways (and hopefully in Meltdown/Spectre resistant ways with library/OS support).
     
  11. 142395

    142395 Guest

    I said that because example you posted appears to use that method, i.e. stealing credentials from the (email/VPN/other) program's memory than DB. Blocking access to DB (file) doesn't make much sense when it is properly encrypted. It only makes sense when contents can be accessed in decrypted form, such as Veracrypt after you entered master password, but all password manager I know don't do that and they're encrypted on memory too except when needed. In KeePass on Windows it's done by DPAPI and on Mac/Linux it uses stream cipher Chacha20.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I assumed Pony looked for password files stored on disk and the registry, I'm not really sure if it can somehow also steal directly from memory, here some more info:

    https://blog.avast.com/2014/08/19/reveton-ransomware-has-dangerously-evolved/

    It should work sort of like how safe banking browsers work, non authorized processes shouldn't be able to communicate with this new Windows Password Manager.
     
  13. 142395

    142395 Guest

    Ah, I see! I forgot these programs offer "Remember password" option, as I rarely use them. In that case they're not actually 'encrypted' but rather 'encoded' into file or registry, then sure, malware will be able to recover it and blocking access to them might make sense.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes exactly, I believe Outpost Firewall offered an "Application Guard" which blocked unauthorized apps from getting access to these files. But like I said before, it's a shame that browsers secure saved passwords so poorly, that's why I have never used the auto-fill functions.
     
  15. 142395

    142395 Guest

    Note Firefox's vault when you enabled master password utilizes real encryption, not just encoding so as long as you use strong password, no malware can recover it, tho ofc stealing from memory or injecting code is still possible (true to any other password manager).
    But I generally don't use autofill in password manager, I prefer filling in only when I need, tho it also can be called 'autofill' (figure of speech).
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but I read that even with encryption it's easy to crack. Memory stealing could be mitigated by blocking code injection and process memory reading.

    https://www.wilderssecurity.com/thr...red-for-the-past-9-years.401781/#post-2745610
     
  17. 142395

    142395 Guest

    IDK what you exactly mean, but if it is properly encrypted with strong password, even NSA couldn't break it. Ofc there're ways to circumvent it, stealing when it's decrypted (e.g. from memory), keylogger, side channel, etc. and you need to take measures to them. But Pony style attack is impossible to encrypted DB, unless dev made serious blunder (possible, but not likely for well-established password manager). There are some forensics based attack techniques against encrypted contents, but most of them (except for cold-boot attack which you can mitigate in some way) are either not applicable to decent password manager or not able to break encryption by itself. Having seen many vulns in encryption software and OS, I can say at-rest encryption is pretty robust unlike encrypted communication. Most vulns either require quite unlikely situation to exploit, or are not about reading contents but modifying them.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, then I misunderstood, so with a strong password it should be hard to decrypt. I still need to test it against the Nirsoft and other password decrypting tools. BTW, LockBox looks interesting, let's hope it will be real secure.
     
  19. 142395

    142395 Guest

    I didn't know LockBox, or maybe forgot, thanks for the info. I couldn't find any detail about its security except that it uses AES256-GCM (and yes, I'm not well talented to examine source code), hope that will be disclosed once it finished alpha stage.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.