Intelligent Machines

Plugging a Password Leak

How a simple fix made password managers more secure.

From a computer-security perspective, the best Internet passwords are long and unique to one website, and contain a mix of letters, numbers, and special characters. Unfortunately, abiding by these guidelines can make logging in to different websites a challenging memory test. Password management tools are one solution for people who can’t keep all their passwords straight, but these tools can pose their own security risks. Now researchers have found a way to make some of these systems more secure.

The researchers focused their work on a small but increasingly popular class of password managers created using bookmarklets–browser bookmarks that incorporate JavaScript code to perform a complex task, in this case, automatically logging a user in to a website. After studying six commercially available bookmarklets, the researchers identified a significant flaw: an attacker could fool the tools into revealing all of a user’s passwords.

“It’s a problem that needs to be taken seriously,” says Ben Adida, a research fellow with Harvard’s Center for Research on Computation and Society. Adida investigated the problem with Adam Barth, a postdoctoral fellow in computer science at the University of California, Berkeley, and Collin Jackson, a computer-science PhD candidate at Stanford University. Jackson recently gave a speech at MIT outlining the security problem and the team’s solution.

Typically, a bookmarklet-based password manager stores passwords for a user’s favorite websites on a central server somewhere. The next time the user visits one of those sites, he simply clicks on the bookmarklet to log in. “When the user clicks a bookmarklet, they’ve indicated that they want to release a password to the browser,” says Jackson. “The question is, which one?”

The bookmarklet usually determines which website is currently displayed by checking the URL of the browser window using JavaScript. The password manager then uses that information to determine which password to release to the browser, and the user is automatically logged in.

Adida, Barth, and Jackson found that while each bookmarklet dealt with the details of the operation differently, they all shared one fundamental problem: they couldn’t be trusted to know what website the user was actually visiting. With a few lines of code, the tool could be tricked into believing, for example, that the user was at her bank’s website when really she was at an attacker’s site.

“The attacks that we found worked a little bit differently for each password manager,” Jackson says. But all of the six tools analyzed could be manipulated to reveal a user’s stored passwords.

Fortunately, Adida and his team found a solution to the problem that was also easy to implement. Instead of checking the browser window’s location, they suggest checking another attribute: the referrer header. As long as the bookmarklet uses a standard data transfer protocol known as a secure socket layer (SSL), the header cannot be easily forged.

Of the six bookmarklet companies contacted by the research team, five decided to implement the solution: Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The sixth company opted to warn its customers about the problem instead of fixing it as the researchers suggested.

“It was a very straightforward fix,” says Scott Blomquist, chief technical officer for MyVidoop, of Portland, OR. “It only took a few minutes of developer time.” Blomquist describes the vulnerability as “marginal”–noting that few people use the bookmarklet version of their password manager and that the attack would take some time and skill to implement.

Still, it could potentially expose users to significant financial loss. “It’s unlikely that some attacker has actually done this,” notes Adida, “but if [someone] had, you wouldn’t even know.” A user might notice that his bank account is empty, but it would be hard to figure out how the attack was perpetrated. “At the end of the day, a lot of this security stuff is a bit like selling life insurance. Most users are just not paranoid enough.”

The researchers believe that in the future, there will be an even better solution to the bookmarklet problem: a new browser feature called postMessage. Barth says that the postMessage feature is designed to allow browser windows to transmit information back and forth securely, while accurately confirming the origin of each message. Once this feature is implemented in most browsers, Jackson says, it could be used to transmit passwords between browser frames or windows in a secure fashion.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.