[guardian-dev] Proof-of-concept exploit against LastPass could easily be extended to other apps.
Hans-Christoph Steiner
hans at guardianproject.info
Mon Nov 24 06:24:46 EST 2014
(moving this to guardian-dev)
This would be a very nice application of our TrustedIntents library. We could
define an Intent method for handing a password, then add TrustedIntents to
KeePassDroid and then our apps, especially Orweb and Orfox. I think that
would serve as a good example as a way to fix this issue without having to
change Android itself at all.
.hc
noel hidalgo | gProject:
> http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/
>
>
> page1image776
> RISK ASSESSMENT / SECURITY & HACKTIVISM
> Using a password manager on Android? It may be wide open
>
> page1image2328
> to sniffing attacks
>
> Proof-of-concept exploit against LastPass could easily be extended to other apps.
>
> by Dan Goodin - Nov 21, 2014 6:55 pm UTC
>
> ANDROID HACKING
>
> page1image4680 page1image4840 page1image5000 page1image5160 page1image5320
> Aurich Lawson
>
> page1image5976
> In early 2013, researchers exposed some unsettling risks stemming from
> Android-based password managers. In a paper titled "Hey, You, Get Off of My
> Clipboard," they documented how passwords managed by 21 of the most popular such
> apps could be accessed by any other app on an Android device, even those with
> extremely low- level privileges. They suggested several measures to help fix the
> problem.
>
> Almost two years later, the threat remains viable in at least some, if not all,
> of the apps originally analyzed. An app recently made available on Google Play,
> for instance, has no trouble divining the passwords managed by LastPass, one of
> the leading managers on the market, as well as the lesser-known KeePassDroid.
> With additional work, it's likely that the proof-of-concept ClipCaster app would
> work seamlessly against many other managers, too, said Xiao Bao Clark, the
> Australia-based programmer who developed it. While ClipCaster does nothing
> more than display the plaintext of passwords that LastPass and KeePassDroid
> funnel through Android handsets, a malicious app with only network privileges
> could send the credentials to an attacker without the user having any idea what
> was happening.
>
> "Besides the insecurity of it, what annoyed me was that I was never told any of
> this while I was signing up or setting up the LastPass app," Clark wrote in an
> e-mail. "Instead, I got the strong impression from LastPass that everything was
> very secure, and I needn't worry about any of it. If they at least told users
> the security issues using these features brings, then the users themselves could
> decide on their own trade-off between usability and security. Not mentioning it
> at all strikes me as disingenuous."
>
> Asked if LastPass has ever notified users of the risk, company CEO Joe Siegrist
> didn't give a yes or no answer. Instead, he responded, "This is an any clipboard
> activity problem [his emphasis] and impacts any password manager involving the
> clipboard (100% of them)—the way all password managers have consistently allowed
> you to enter your password into other apps since Android has existed. This
> demonstration is aimed at LastPass, but it's the whole of Android that must be
> addressed."
>
> Clark agreed that any Android-based password manager that uses the OS clipboard
> is susceptible. He strongly recommends that people stop using any app setup that
> works this way. Many apps use standalone browsers, browser extensions, or
> software keyboards to enter credentials into login fields. There is no evidence
> they are susceptible to sniffing. The reason ClipCaster takes special aim at
> LastPass, Clark said, is simple. It just happened to be the manager he installed
> on his phone. There are no reports that password managers running
>
> on iOS or Windows Phone are vulnerable. But there can be way to know for sure,
> since Ars is unaware of the any comprehensive study testing the security of
> managers on those platforms.
>
> As already alluded, the threat stems from the use of the Android clipboard,
> which acts as a temporary cache for text that is being copied and pasted, either
> within the same app or from one app to another. Android has no official
> programming interface that secures the clipboard. By design, its contents are
> available to any app installed on the phone, from the highest privileged banking
> app to one with no privileges at all. (ClipCaster, for instance, requires no
> permissions.) Siegrist rightly noted that any password manager that makes use of
> the Android clipboard—and there are plenty, including LastPass—is vulnerable.
>
> LastPass has several different methods for plucking passwords out of their
> highly fortified vault and plugging them into the password field of a browser or
> app. Not all of the options are susceptible to sniffing, but notably, the one
> LastPass recommends that Android users choose leaves them wide open. The option
> is known as autofill, a feature that seamlessly plugs passwords into apps and
> the Chrome browser.
>
> Shortly after installing LastPass, Clark came across the 2013 paper that
> discussed the clipboard vulnerability. It got him wondering about the
> security of his decision, so he began analyzing the JavaScript autofill uses
> to populate username and password fields in Chrome. In about an hour, he had
> a crude but working exploit that monitored the Android clipboard and captured
> login credentials transported by autofill. His proof-of-concept app works by
> listening to the notices the clipboard broadcasts to installed apps and looking
> for a familiar patterns in the code.
>
> Clark concocted a dummy account containing the username "j.doe at actisec.com" and
> the password "s4f3p4assw0rd," and observed the way the credentials were funneled
> through the clipboard. Autofill wrote a blob of code to the clipboard and then
> pasted it into the address bar of Chrome. The code contained the following
> telltale lines:
>
> if (l_bte) { ;
>
> l_sfv(l_bte, decodeURIComponent(escape(atob('ai5kb2VAYWN0aXNlYy5jb20='))))
>
> }
> l_sfv(l_bpe, decodeURIComponent(escape(atob('czRmZXBhc3N3MHJk'))));
>
> An image of ClipCaster sniffing the password "s4f3p4assw0rd" as a user logs in
> to Facebook.
> Xiao Bao Clark
> "atob" is a JavaScript function for decoding strings that have been
> converted into base64-encoded representations. Presumably, LastPass
> developers chose the encoding to make it less obvious to other apps what the
> clipboard contents are. But to anyone with a modest amount of training,
> the measure is little more than an exercise in the largely discredited
> protection known as "security through obscurity." ClipCaster monitors the
> clipboard for the patterns, decodes the base64 strings and, as illustrated in
> the image to the right, displays them.
>
> In e-mails sent to Ars, Siegrist, the LastPass CEO, rightly noted that
> the vulnerability isn't unique to his company's product, or even to Android devices.
>
> "This is an OS-level issue that impacts everything running on Android," he said.
> "If you use the clipboard to copy any data, a malicious app could obtain it—like
> installing a clipboard monitoring software on Windows or a keylogger on Windows.
> You can compromise your security by installing bad software."
>
> Siegrist also noted that attacks like the one carried out by ClipCaster work
> only when LastPass or another password manager runs on an Android device
> that has a malicious app installed, and then only when the manager uses the
> device's clipboard. The CEO said that LastPass users should run only "trusted"
> apps, meaning those distributed over Google Play by a trusted company and widely
> used and reviewed.
>
> Still, his statements omit some important distinctions. First, LastPass on
> Windows doesn't use the clipboard to pass login credentials to Chrome,
> and presumably other browsers, Clark's research found. And second, most Windows
> users—and a growing number of Mac users as well—use antivirus protection to
> detect such threats. Android antivirus apps exist, but there's little evidence
> that most users install one. Third, his advice about installing only trusted
> apps is sound, but given the regular occurrence of malicious apps that slip
> through Google defenses and are hosted in the company's official Play Store,
> it's unrealistic to expect end users to always spot rogue titles.
>
> page2image36576 page2image36744
> rogue titles.
>
> One of the key defenses of Android is its application sandbox, which prevents
> one app from accessing sensitive data belonging to another app, presumably under
> the premise that not all apps will be trustworthy. When an app as sensitive as a
> password manager doesn't enjoy a protection as crucial as this, the companies
> should make this limitation explicit. LastPass and the developers of other
> vulnerable managers should be
>
> forthright about the risks and tell users what they can do to protect
> themselves. In the case of LastPass, the threat can be eliminated simply by
> opting out of the recommended autofill option and instead using the LastPass
> browser or LastPass keyboard. Many users may decide the convenience of autofill
> is worth the added risk, but at least they will be making an informed choice.
>
> Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012
> after working for The Register, the Associated Press, Bloomberg News, and other
> publications.
> @dangoodin001
>
> page3image9728
> © 2014 Condé Nast. All rights reserved
> Use of this Site constitutes acceptance of our User Agreement (effective
> 3/21/12) and Privacy Policy (effective 3/21/12)
> Your California Privacy Rights
> The material on this site may not be reproduced, distributed, transmitted,
> cached or otherwise used, except with the prior written permission of Condé Nast.
>
>
>
> _______________________________________________
> Guardian-internal mailing list
>
> Post: Guardian-internal at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-internal
>
> To Unsubscribe
> Send email to: Guardian-internal-unsubscribe at lists.mayfirst.org
> Or visit: %(user_optionsurl)s
>
> You are subscribed as: %(user_address)s
>
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Guardian-dev
mailing list