Introduction and review of part one

This article presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems: those found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

• Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).
• Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially address in part 1; continued now in part 2)
• False sense of security: Users employing password managers without any awareness of the risk factors.
• Usability: Features that enhance or deter the usability of security features.
• Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk.

Part one of this article concluded just after discussing two JavaScript attacks against web browsers. Readers should review part one before continuing on with this article.

We now continue the discussed by looking at more attacks on Password Managers. The author will then address the remaining goals of the article - in particular, how the use of password managers give users a false sense of security, usability issues, and important mitigation and countermeasures.

To maintain consistency, section numbers (5.1, 5.2, etc.) now continue from where part one left off.

5.2 Firefox 2.0 password manager implementation flaw (JavaScript reverse cross-site scripting)

Firefox's password manager (version 2.0) as of Novermber 2006 has a software flaw that allows a user's credentials (from the site being currently visited) to be posted to any URL if the user clicks a maliciously crafted link. [ref 22] The vulnerability, now being called as Reverse Cross-Site Request (RCSR), derives from the fact the browser does not control the URL to which credentials are sent via web forms. The user must have previously visited the site and had the password manager save the credentials for the attack to work. This information stealing tactic has been carried out on MySpace.com and was discovered by CIS. [ref 23] Social networking sites that allow users to post pure HTML are most susceptible.

RCSR is more potent than the attack described in section 5.1 (in part one of this article) because the XMLHttpRequest does not allow requests outside the current domain. Additionally, the link (action that allows the form to submit) can appear in the form of an embedded video, webcast, or perhaps game making it increasingly covert.

5.3 Revealing Internet Explorer passwords

5.3.1 Password recovery

Many companies now have commercial software to recover passwords from IE's AutoComplete. ElcomSoft produces the Advanced Internet Explorer Password Recovery (AIEPR) program. [ref 24] As stated on its website it can recovery any AutoComplete information on any of IE versions from 3 to 6, as long as the user is logged in. Freeware programs such as PassView [ref 25], which works for IE versions 4 through6, and IEPassView, for IE7 [ref 26], are also available.

5.3.2 Malware

Internet Explorer is usually a prime target for malware infection. However as it relates to this article, these vulnerabilities converge at a dangerous point where malware programs are specifically targeting AutoComplete information. These programs gain confidential information, and then send it back to the attacker. BackDoor-AXJ [ref 27] is a Trojan program that stores AutoComplete and other information on a victim machine, and then sends the information back to the controller. Srv.SSA-KeyLogger [ref 28] is a backdoor that installs covertly on Internet Explorer and acts as a key logger. The backdoor also covertly turns on AutoComplete, steals data from Protected Storage and sends it back via the HTTP GET method.

5.4 Revealing Firefox passwords

5.4.1 Easily accessible clear text passwords

For users unfamiliar with the Firefox Password Manager, anyone who is logged in with physical access to the computer can view passwords in cleartext when navigating the following:

On Windows XP:

Firefox 1.5
Tools | Options | Privacy | Passwords | View Saved Passwords | View Passwords | Show Passwords

Firefox 2.0
Tools | Options | Security | Show Passwords | Show Passwords

5.4.2 Master Password Attacks

Recently, tools have been developed to perform password attacks on the Master Password in Firefox. The following attacks are currently feasible:

• Brute force
• Dictionary
• Hybrid

Firemaster is a password cracker that was designed to derive the Master Password in Firefox . [ref 29] The tool, written in C++, was released by N. Y. Talekar in early January 2006; the source code is current available online. Other tools written in C with scripting functionality have also been developed . [ref 30] As a result of the development of these tools, the confidentiality of the password database is completely reliant on the Master Password to withstand these attacks. Needless to say poor password choice (lowercase dictionary words) can be cracked in microseconds. Moreover, having no password will disclose the password database immediately. This is essentially equivalent to navigating the options menu in Firefox to Show Passwords.

5.4.3 Multiple username/password entries per URL

Firefox has an interesting feature in that it will allow multiple authentication entries to be entered in for a web site. For instance lets say two fictional characters, Alice and Bob, use Firefox Password Manager on the same Windows XP user account but have different banking accounts on the same web site (www.pncbank.com). The Password Manager will allow multiple username and password pairs. The Password Manager will distinguish when to use each web account based on the username and automatically fill the password field. This feature provides the ability to view the other person's credentials, such as the following:

URL
bob
k9x763s
alice
n63ld23f

Based on security models, no two individuals should be using the same computer user account; however this scenario is still a security risk because not all organizations follow best practices. Additionally there is a similar concern if a username/password pair is accidentally entered incorrectly for a specific site (such as mistakenly switching two logins for different banking sites). That information will be stored (even though it's not used), and could be compromised some time in the future without the knowledge of the participant.

5.4.4 Denial of Service Attacks

Any user or program with right permissions to a user's local profile on the file system can potentially attack the integrity and availability of the Password manager. If vital files (keyN.db, certN.db, secmod.db, signons.txt) are deleted or modified the result would be that no usernames or passwords are recoverable. The most important of these files are KeyN.db and signons.txt, which hold private keys and encrypted data, respectively.

In order to ensure integrity and availability of the password database it would be prudent to copy keyN.db, certN.db, secmod.db, and signons.txt to a secure location. Thus if those files are modified or deleted and the Password Manager is no longer available, it would still be possible to recover the password database by copying the files back to the Firefox profile directory.

Continued on page 2...

[ref 22] "Firefox Password Manager Information Disclosure." http://secunia.com/advisories/23046
[ref 23] "CIS Finds Flaws in Firefox v2 Password Manager." http://www.info-svc.com/news/11-21-2006/
[ref24 ] AIEPR, http://www.elcomsoft.com
[ref 25] N. Sofer, "Protected Storage PassView," http://www.nirsoft.net/utils/pspv.html
[ref 26] N. Sofer, "IE PassView v.1.00," http://www.nirsoft.net/utils/internet_explorer_password.html
[ref 27] BackDoor-AXJ, McAfee, June 2004. http://vil.nai.com/vil/content/v_100488.htm
[ref 28] Srv.SSA-KeyLogger, Counter Spy Research Center, http://research.sunbelt-software.com/Advisory.cfm
[ref 29] N. Y. Talekar, Firemaster: firefox master password cracker, 2006. http://nagmatrix.50webs.com/article_firemaster.html
[ref 30] "Mozilla saved passwords recovery (export) utility," 2005, http://wejn.org/stuff/moz-export.html, (Accessed March 2006).