Plugging a Password Leak

How a simple fix made password managers more secure.

From a computer-security perspective, the best Internet passwords are long and unique to one website, and contain a mix of letters, numbers, and special characters. Unfortunately, abiding by these guidelines can make logging in to different websites a challenging memory test. Password management tools are one solution for people who can't keep all their passwords straight, but these tools can pose their own security risks. Now researchers have found a way to make some of these systems more secure.

Credit: Technology Review

The researchers focused their work on a small but increasingly popular class of password managers created using bookmarklets--browser bookmarks that incorporate JavaScript code to perform a complex task, in this case, automatically logging a user in to a website. After studying six commercially available bookmarklets, the researchers identified a significant flaw: an attacker could fool the tools into revealing all of a user's passwords.

"It's a problem that needs to be taken seriously," says Ben Adida, a research fellow with Harvard's Center for Research on Computation and Society. Adida investigated the problem with Adam Barth, a postdoctoral fellow in computer science at the University of California, Berkeley, and Collin Jackson, a computer-science PhD candidate at Stanford University. Jackson recently gave a speech at MIT outlining the security problem and the team's solution.

Typically, a bookmarklet-based password manager stores passwords for a user's favorite websites on a central server somewhere. The next time the user visits one of those sites, he simply clicks on the bookmarklet to log in. "When the user clicks a bookmarklet, they've indicated that they want to release a password to the browser," says Jackson. "The question is, which one?"

The bookmarklet usually determines which website is currently displayed by checking the URL of the browser window using JavaScript. The password manager then uses that information to determine which password to release to the browser, and the user is automatically logged in.

Story continues below

Adida, Barth, and Jackson found that while each bookmarklet dealt with the details of the operation differently, they all shared one fundamental problem: they couldn't be trusted to know what website the user was actually visiting. With a few lines of code, the tool could be tricked into believing, for example, that the user was at her bank's website when really she was at an attacker's site.

"The attacks that we found worked a little bit differently for each password manager," Jackson says. But all of the six tools analyzed could be manipulated to reveal a user's stored passwords.