We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Plugging a Password Leak

How a simple fix made password managers more secure.

From a computer-security perspective, the best Internet passwords are long and unique to one website, and contain a mix of letters, numbers, and special characters. Unfortunately, abiding by these guidelines can make logging in to different websites a challenging memory test. Password management tools are one solution for people who can’t keep all their passwords straight, but these tools can pose their own security risks. Now researchers have found a way to make some of these systems more secure.

The researchers focused their work on a small but increasingly popular class of password managers created using bookmarklets–browser bookmarks that incorporate JavaScript code to perform a complex task, in this case, automatically logging a user in to a website. After studying six commercially available bookmarklets, the researchers identified a significant flaw: an attacker could fool the tools into revealing all of a user’s passwords.

“It’s a problem that needs to be taken seriously,” says Ben Adida, a research fellow with Harvard’s Center for Research on Computation and Society. Adida investigated the problem with Adam Barth, a postdoctoral fellow in computer science at the University of California, Berkeley, and Collin Jackson, a computer-science PhD candidate at Stanford University. Jackson recently gave a speech at MIT outlining the security problem and the team’s solution.

Typically, a bookmarklet-based password manager stores passwords for a user’s favorite websites on a central server somewhere. The next time the user visits one of those sites, he simply clicks on the bookmarklet to log in. “When the user clicks a bookmarklet, they’ve indicated that they want to release a password to the browser,” says Jackson. “The question is, which one?”

The bookmarklet usually determines which website is currently displayed by checking the URL of the browser window using JavaScript. The password manager then uses that information to determine which password to release to the browser, and the user is automatically logged in.

Adida, Barth, and Jackson found that while each bookmarklet dealt with the details of the operation differently, they all shared one fundamental problem: they couldn’t be trusted to know what website the user was actually visiting. With a few lines of code, the tool could be tricked into believing, for example, that the user was at her bank’s website when really she was at an attacker’s site.

“The attacks that we found worked a little bit differently for each password manager,” Jackson says. But all of the six tools analyzed could be manipulated to reveal a user’s stored passwords.

Fortunately, Adida and his team found a solution to the problem that was also easy to implement. Instead of checking the browser window’s location, they suggest checking another attribute: the referrer header. As long as the bookmarklet uses a standard data transfer protocol known as a secure socket layer (SSL), the header cannot be easily forged.

Of the six bookmarklet companies contacted by the research team, five decided to implement the solution: Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The sixth company opted to warn its customers about the problem instead of fixing it as the researchers suggested.

“It was a very straightforward fix,” says Scott Blomquist, chief technical officer for MyVidoop, of Portland, OR. “It only took a few minutes of developer time.” Blomquist describes the vulnerability as “marginal”–noting that few people use the bookmarklet version of their password manager and that the attack would take some time and skill to implement.

Still, it could potentially expose users to significant financial loss. “It’s unlikely that some attacker has actually done this,” notes Adida, “but if [someone] had, you wouldn’t even know.” A user might notice that his bank account is empty, but it would be hard to figure out how the attack was perpetrated. “At the end of the day, a lot of this security stuff is a bit like selling life insurance. Most users are just not paranoid enough.”

The researchers believe that in the future, there will be an even better solution to the bookmarklet problem: a new browser feature called postMessage. Barth says that the postMessage feature is designed to allow browser windows to transmit information back and forth securely, while accurately confirming the origin of each message. Once this feature is implemented in most browsers, Jackson says, it could be used to transmit passwords between browser frames or windows in a secure fashion.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.