Plugging a Password Leak

Credit: Technology Review

From a computer-security perspective, the best Internet passwords are long and unique to one website, and contain a mix of letters, numbers, and special characters. Unfortunately, abiding by these guidelines can make logging in to different websites a challenging memory test. Password management tools are one solution for people who can't keep all their passwords straight, but these tools can pose their own security risks. Now researchers have found a way to make some of these systems more secure.

The researchers focused their work on a small but increasingly popular class of password managers created using bookmarklets--browser bookmarks that incorporate JavaScript code to perform a complex task, in this case, automatically logging a user in to a website. After studying six commercially available bookmarklets, the researchers identified a significant flaw: an attacker could fool the tools into revealing all of a user's passwords.

"It's a problem that needs to be taken seriously," says Ben Adida, a research fellow with Harvard's Center for Research on Computation and Society. Adida investigated the problem with Adam Barth, a postdoctoral fellow in computer science at the University of California, Berkeley, and Collin Jackson, a computer-science PhD candidate at Stanford University. Jackson recently gave a speech at MIT outlining the security problem and the team's solution.

Typically, a bookmarklet-based password manager stores passwords for a user's favorite websites on a central server somewhere. The next time the user visits one of those sites, he simply clicks on the bookmarklet to log in. "When the user clicks a bookmarklet, they've indicated that they want to release a password to the browser," says Jackson. "The question is, which one?"

The bookmarklet usually determines which website is currently displayed by checking the URL of the browser window using JavaScript. The password manager then uses that information to determine which password to release to the browser, and the user is automatically logged in.

Adida, Barth, and Jackson found that while each bookmarklet dealt with the details of the operation differently, they all shared one fundamental problem: they couldn't be trusted to know what website the user was actually visiting. With a few lines of code, the tool could be tricked into believing, for example, that the user was at her bank's website when really she was at an attacker's site.

"The attacks that we found worked a little bit differently for each password manager," Jackson says. But all of the six tools analyzed could be manipulated to reveal a user's stored passwords.

Fortunately, Adida and his team found a solution to the problem that was also easy to implement. Instead of checking the browser window's location, they suggest checking another attribute: the referrer header. As long as the bookmarklet uses a standard data transfer protocol known as a secure socket layer (SSL), the header cannot be easily forged.

Of the six bookmarklet companies contacted by the research team, five decided to implement the solution: Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The sixth company opted to warn its customers about the problem instead of fixing it as the researchers suggested.

"It was a very straightforward fix," says Scott Blomquist, chief technical officer for MyVidoop, of Portland, OR. "It only took a few minutes of developer time." Blomquist describes the vulnerability as "marginal"--noting that few people use the bookmarklet version of their password manager and that the attack would take some time and skill to implement.

Still, it could potentially expose users to significant financial loss. "It's unlikely that some attacker has actually done this," notes Adida, "but if [someone] had, you wouldn't even know." A user might notice that his bank account is empty, but it would be hard to figure out how the attack was perpetrated. "At the end of the day, a lot of this security stuff is a bit like selling life insurance. Most users are just not paranoid enough."

The researchers believe that in the future, there will be an even better solution to the bookmarklet problem: a new browser feature called postMessage. Barth says that the postMessage feature is designed to allow browser windows to transmit information back and forth securely, while accurately confirming the origin of each message. Once this feature is implemented in most browsers, Jackson says, it could be used to transmit passwords between browser frames or windows in a secure fashion.