How Browsers Store Your Passwords (and Why You Shouldn't Let Them)

Discussion in 'other software & services' started by Minimalist, Jan 9, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    http://raidersec.blogspot.com/2013/06/how-browsers-store-your-passwords-and.html
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes, this link has been posted before. It's interesting, and also a bit weird that browsers have never really been focused on providing strong security for password management. I also wonder why HIPS still not offer a feature to protect password files, so basically, only browsers should have access to the password storage areas (file system and registry) and it should deny all other apps.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    IMO, HIPS are not the best tools for that particular task. The file system itself would be the best tool for this task.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Since you can't limit an access to file on per-process basis, I don't see how file system could be used to achieve this. Maybe if browser is run under separate user and then allowing only that user to access password storage files.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Make an account just for the browser(s) with its own specific permissions.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Yes, but would that help if this same browser launches malware (exploit or manually launched)? Child process would be run with same credentials as browser. IMO per-process access control can give better and more granular protection.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The HIPS could restrict the browsers ability to launch other processes, including malware. As for integrating per-process file and file system access into a HIPS, that would make them more complicated than they already are. SSM-Pro for instance has that ability for the registry, but the interfaces are enough to cause migraines. I can't quite picture an interface that would enable you to establish specific permissions for every file and folder separately for each process.

    Maybe a hybrid approach would be more effective. Let the file system control the file system access and a HIPS control the processes. The user would have to pay close attention to the details and restrict what formats can be opened via browser integration.

    Do the same access permissions you mention apply to child processes of sandboxed applications?
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    I was using Malware Defender before switching to 64 bit and I really liked the control I could get using it. To get control over those files and registry keys I would just create few rules that would prevent access to them. Then I would create allow rules for browser to access them. It would all be set in few minutes. I really miss granularity and completeness of control that MD gave me. :(

    When it comes to sandboxing I assume that child process would also run inside sandbox so all restrictions from sandbox would probably apply to it. But I doubt that sandbox would block access to password store, as browser wouldn't be able to use it also.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I never could get MD to run on any PC here. Always blue screened either during the install or after the reboot. I question if that tradeoff for 64bit is really worth it. Myself, I'd value the control more than the performance increase. That and the fact that I don't trust any security feature created by Microsoft to not have a bypass of some sort.

    Let me rephrase the sandbox question. Would or can SandBoxie add additional restrictions to the child processes of a sandboxed process that the OS can't? Example, can it allow the browser access to the password store while blocking that access for any child processes of the browser?
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Not possible if I remember right. SBIE can implement access control on per sandbox basis. You would have to run browser and child process in separate sandboxes. That is not possible AFAIK.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    OK. Was a thought.
     
  12. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    829
    Location:
    UK
    Doesnt the password leak feature of some security features not prevent password loss?

    Outpost has has a box where you enter password you dont want transmitted.
    Its called id block in outpost

    Other security programs have this as well
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That depends on how much you trust that security application. The security application becomes another potentially exploitable source for those passwords, especially if those applications call home.
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    I dont save passwords but this is something that you can do with Sandboxie. Using Firefox as an example, you can set up a sandbox where only firefox.exe has access to the password manager. If you look at the picture, you can read under firefox.exe in the drop down window that "All programs except firefox.exe" are blocked from having access to file key3.db.

    Bo

    Sin título.jpg
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Thank you bo elam. Didn't know that this was possible :thumb:
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    You are welcome. To block all programs except one, you click Add program, in the example, you add firefox.exe to the drop down menu, then you add ! before firefox.exe: setting !firefox.exe blocks all programs in that sandbox from having access to key3.db (navigate to file you want blocked by clicking Add) except Firefox.exe.

    Bo
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Was this option added in newer version of SBIE? I don't remember this option from the last time I've used it.
     
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    It has always being available but you have to know about adding !.

    Bo
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    OK, thanks for clarifying.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Well, in theory it should be a simple job for behavior blockers/HIPS, it's not any different than standard file/folder protection. Like I said, only certain apps should have access to certain folders and registry keys. This way you could stop malicious apps who search for password files.

    Of course, if password-stealing apps run as a child process or in-memory (file-less malware), it gets trickier to stop them. The first one could be stopped by monitoring child processes, but with modern browsers who spawn multiple browser processes, this can be difficult.

    The second one can probably not be stopped by HIPS, but only by anti-exploit, who prevent the browser's memory (or other exploited app) from being compromised. But it's a shame that HIPS don't come with standard password file protection.
     
Loading...