[guardian-dev] Proof-of-concept exploit against LastPass could easily be extended to other apps.

Jon Spriggs jon at sprig.gs
Mon Nov 24 10:29:23 EST 2014


Just to note, this is why I use KeePass2Android (KP2A), which has a
dedicated keyboard, that on pressing the "user" or "password" entries will
effectively type those in for you. This is not a new issue on Android, and
has, in fact, been a public concern for quite some time.

I would recommend KP2A over KeePassDroid now, if only for that reason.
Sadly, it can't be included in f-droid, as KP2A uses Mono for Android,
which is not Free Software:
https://f-droid.org/forums/topic/keepass2android/

--
Jon "The Nice Guy" Spriggs

On 24 November 2014 at 11:24, Hans-Christoph Steiner <
hans at guardianproject.info> wrote:

>
> (moving this to guardian-dev)
>
> This would be a very nice application of our TrustedIntents library.  We
> could
> define an Intent method for handing a password, then add TrustedIntents to
> KeePassDroid and then our apps, especially Orweb and Orfox.  I think that
> would serve as a good example as a way to fix this issue without having to
> change Android itself at all.
>
> .hc
>
> noel hidalgo | gProject:
> >
> http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/
> >
> >
> > page1image776
> > RISK ASSESSMENT / SECURITY & HACKTIVISM
> > Using a password manager on Android? It may be wide open
> >
> > page1image2328
> > to sniffing attacks
> >
> > Proof-of-concept exploit against LastPass could easily be extended to
> other apps.
> >
> > by Dan Goodin - Nov 21, 2014 6:55 pm UTC
> >
> > ANDROID HACKING
> >
> > page1image4680 page1image4840 page1image5000 page1image5160
> page1image5320
> > Aurich Lawson
> >
> > page1image5976
> > In early 2013, researchers exposed some unsettling risks stemming from
> > Android-based password managers. In a paper titled "Hey, You, Get Off of
> My
> > Clipboard," they documented how passwords managed by 21 of the most
> popular such
> > apps could be accessed by any other app on an Android device, even those
> with
> > extremely low- level privileges. They suggested several measures to help
> fix the
> > problem.
> >
> > Almost two years later, the threat remains viable in at least some, if
> not all,
> > of the apps originally analyzed. An app recently made available on
> Google Play,
> > for instance, has no trouble divining the passwords managed by LastPass,
> one of
> > the leading managers on the market, as well as the lesser-known
> KeePassDroid.
> > With additional work, it's likely that the proof-of-concept ClipCaster
> app would
> > work seamlessly against many other managers, too, said Xiao Bao Clark,
> the
> > Australia-based programmer who developed it. While ClipCaster does
> nothing
> > more than display the plaintext of passwords that LastPass and
> KeePassDroid
> > funnel through Android handsets, a malicious app with only network
> privileges
> > could send the credentials to an attacker without the user having any
> idea what
> > was happening.
> >
> > "Besides the insecurity of it, what annoyed me was that I was never told
> any of
> > this while I was signing up or setting up the LastPass app," Clark wrote
> in an
> > e-mail. "Instead, I got the strong impression from LastPass that
> everything was
> > very secure, and I needn't worry about any of it. If they at least told
> users
> > the security issues using these features brings, then the users
> themselves could
> > decide on their own trade-off between usability and security. Not
> mentioning it
> > at all strikes me as disingenuous."
> >
> > Asked if LastPass has ever notified users of the risk, company CEO Joe
> Siegrist
> > didn't give a yes or no answer. Instead, he responded, "This is an any
> clipboard
> > activity problem [his emphasis] and impacts any password manager
> involving the
> > clipboard (100% of them)—the way all password managers have consistently
> allowed
> > you to enter your password into other apps since Android has existed.
> This
> > demonstration is aimed at LastPass, but it's the whole of Android that
> must be
> > addressed."
> >
> > Clark agreed that any Android-based password manager that uses the OS
> clipboard
> > is susceptible. He strongly recommends that people stop using any app
> setup that
> > works this way. Many apps use standalone browsers, browser extensions, or
> > software keyboards to enter credentials into login fields. There is no
> evidence
> > they are susceptible to sniffing. The reason ClipCaster takes special
> aim at
> > LastPass, Clark said, is simple. It just happened to be the manager he
> installed
> > on his phone. There are no reports that password managers running
> >
> > on iOS or Windows Phone are vulnerable. But there can be way to know for
> sure,
> > since Ars is unaware of the any comprehensive study testing the security
> of
> > managers on those platforms.
> >
> > As already alluded, the threat stems from the use of the Android
> clipboard,
> > which acts as a temporary cache for text that is being copied and
> pasted, either
> > within the same app or from one app to another. Android has no official
> > programming interface that secures the clipboard. By design, its
> contents are
> > available to any app installed on the phone, from the highest privileged
> banking
> > app to one with no privileges at all. (ClipCaster, for instance,
> requires no
> > permissions.) Siegrist rightly noted that any password manager that
> makes use of
> > the Android clipboard—and there are plenty, including LastPass—is
> vulnerable.
> >
> > LastPass has several different methods for plucking passwords out of
> their
> > highly fortified vault and plugging them into the password field of a
> browser or
> > app. Not all of the options are susceptible to sniffing, but notably,
> the one
> > LastPass recommends that Android users choose leaves them wide open. The
> option
> > is known as autofill, a feature that seamlessly plugs passwords into
> apps and
> > the Chrome browser.
> >
> > Shortly after installing LastPass, Clark came across the 2013 paper that
> > discussed the clipboard vulnerability. It got him wondering about the
> > security of his decision, so he began analyzing the JavaScript autofill
> uses
> > to populate username and password fields in Chrome. In about an hour, he
> had
> > a crude but working exploit that monitored the Android clipboard and
> captured
> > login credentials transported by autofill. His proof-of-concept app
> works by
> > listening to the notices the clipboard broadcasts to installed apps and
> looking
> > for a familiar patterns in the code.
> >
> > Clark concocted a dummy account containing the username "
> j.doe at actisec.com" and
> > the password "s4f3p4assw0rd," and observed the way the credentials were
> funneled
> > through the clipboard. Autofill wrote a blob of code to the clipboard
> and then
> > pasted it into the address bar of Chrome. The code contained the
> following
> > telltale lines:
> >
> > if (l_bte) { ;
> >
> > l_sfv(l_bte,
> decodeURIComponent(escape(atob('ai5kb2VAYWN0aXNlYy5jb20='))))
> >
> > }
> > l_sfv(l_bpe, decodeURIComponent(escape(atob('czRmZXBhc3N3MHJk'))));
> >
> > An image of ClipCaster sniffing the password "s4f3p4assw0rd" as a user
> logs in
> > to Facebook.
> > Xiao Bao Clark
> > "atob" is a JavaScript function for decoding strings that have been
> > converted into base64-encoded representations. Presumably, LastPass
> > developers chose the encoding to make it less obvious to other apps what
> the
> > clipboard contents are. But to anyone with a modest amount of training,
> > the measure is little more than an exercise in the largely discredited
> > protection known as "security through obscurity." ClipCaster monitors the
> > clipboard for the patterns, decodes the base64 strings and, as
> illustrated in
> > the image to the right, displays them.
> >
> > In e-mails sent to Ars, Siegrist, the LastPass CEO, rightly noted that
> > the vulnerability isn't unique to his company's product, or even to
> Android devices.
> >
> > "This is an OS-level issue that impacts everything running on Android,"
> he said.
> > "If you use the clipboard to copy any data, a malicious app could obtain
> it—like
> > installing a clipboard monitoring software on Windows or a keylogger on
> Windows.
> > You can compromise your security by installing bad software."
> >
> > Siegrist also noted that attacks like the one carried out by ClipCaster
> work
> > only when LastPass or another password manager runs on an Android device
> > that has a malicious app installed, and then only when the manager uses
> the
> > device's clipboard. The CEO said that LastPass users should run only
> "trusted"
> > apps, meaning those distributed over Google Play by a trusted company
> and widely
> > used and reviewed.
> >
> > Still, his statements omit some important distinctions. First, LastPass
> on
> > Windows doesn't use the clipboard to pass login credentials to Chrome,
> > and presumably other browsers, Clark's research found. And second, most
> Windows
> > users—and a growing number of Mac users as well—use antivirus protection
> to
> > detect such threats. Android antivirus apps exist, but there's little
> evidence
> > that most users install one. Third, his advice about installing only
> trusted
> > apps is sound, but given the regular occurrence of malicious apps that
> slip
> > through Google defenses and are hosted in the company's official Play
> Store,
> > it's unrealistic to expect end users to always spot rogue titles.
> >
> > page2image36576 page2image36744
> > rogue titles.
> >
> > One of the key defenses of Android is its application sandbox, which
> prevents
> > one app from accessing sensitive data belonging to another app,
> presumably under
> > the premise that not all apps will be trustworthy. When an app as
> sensitive as a
> > password manager doesn't enjoy a protection as crucial as this, the
> companies
> > should make this limitation explicit. LastPass and the developers of
> other
> > vulnerable managers should be
> >
> > forthright about the risks and tell users what they can do to protect
> > themselves. In the case of LastPass, the threat can be eliminated simply
> by
> > opting out of the recommended autofill option and instead using the
> LastPass
> > browser or LastPass keyboard. Many users may decide the convenience of
> autofill
> > is worth the added risk, but at least they will be making an informed
> choice.
> >
> > Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined
> in 2012
> > after working for The Register, the Associated Press, Bloomberg News,
> and other
> > publications.
> > @dangoodin001
> >
> > page3image9728
> > © 2014 Condé Nast. All rights reserved
> > Use of this Site constitutes acceptance of our User Agreement (effective
> > 3/21/12) and Privacy Policy (effective 3/21/12)
> > Your California Privacy Rights
> > The material on this site may not be reproduced, distributed,
> transmitted,
> > cached or otherwise used, except with the prior written permission of
> Condé Nast.
> >
> >
> >
> > _______________________________________________
> > Guardian-internal mailing list
> >
> > Post: Guardian-internal at lists.mayfirst.org
> > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-internal
> >
> > To Unsubscribe
> >         Send email to:  Guardian-internal-unsubscribe at lists.mayfirst.org
> >         Or visit: %(user_optionsurl)s
> >
> > You are subscribed as: %(user_address)s
> >
>
> --
> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/jon%40sprig.gs
>
> You are subscribed as: jon at sprig.gs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20141124/10aa9feb/attachment-0001.html>


More information about the Guardian-dev mailing list