White Paper: Browser Extension Password Managers
This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below.
Browser Extension Password Managers
05 Nov 2013 – Paul Youn
Advancements in password cracking and frequent theft of password databases endanger single-factor password authentication systems. Password managers are one of the only tools available that can help users remember unique high-entropy passwords, and other secrets such as credit card numbers, for a large number of applications. Can password managers deliver on security promises, or do they introduce their own security vulnerabilities? This paper examines popular browser-based password managers and presents common security flaws that could be exploited to remotely extract a user’s password.
Previous research on password managers has focused on the cryptographic protections of the passwords themselves in particular environments such as mobile devices. This research instead focuses on browser specific integrations and mechanisms to remotely compromise credentials. Four of the most popular password managers were examined: LastPass, OneLastPass, 1Password, and MaskMe.
This research shows that the examined password managers made design decisions that greatly increase the chance of users unknowingly exposing their passwords through application-level flaws. Many of the flaws relate to the browser-integrated password managers that don’t follow the same-origin policy that is crucial to browser security. In the case of password managers, this means that passwords could be filled into unintended credential forms, making password theft easier.
Check out the full paper below