‘Attack steals password manager credentials using guest account’
Two researchers at the Finnish University of Aalto demonstrated at Def Con attacks on password managers and FIDO keys using interprocess communication on a computer. For example, the attack is possible via a guest account.
The two researchers who presented their findings, Sid Rao and Thanh Bui, say that communication is through inter-process communication. With their research they show that an attacker without rights, for example using a guest account on a shared computer or a remote desktop connection, can eavesdrop on the communication between processes of another user. In their research they focused on communication via network sockets, USB and named pipes.
They illustrated the first way through an attack on password managers, of which 1Password is the most well-known. For example, there is a version of 1Password where a browser extension communicates with a desktop app, which acts as a local web socket server. There is an extensive check by the server, i.e. the app, to verify that it is indeed dealing with a legitimate client. However, this check does not take place in reverse, allowing the researchers to pretend to be the server. It receives information that a user enters in form fields on web pages via the browser extension. In this way, the researchers on macOS were able to steal the entered data, as they showed in a demo.
According to the researchers, 1Password has now closed the vulnerability. They also showed an attack where an attacker could intercept a confirmation of a FIDO security key, which is connected via USB. They assume that the attacker already has the password of his target. The attacker enters this and waits for the request to insert the key into the USB port and touch it briefly for confirmation. By relaying the browser’s request to the key at a high frequency, the researchers say they’ll have a high chance of intercepting the confirmation once the target actually logs into a random site with the key. This method works because Windows USB hid devices can be accessed by any user process.
As possible countermeasures, the researchers mentioned limiting the number of users on a single system and disabling ssh and remote desktop applications. It would also be conceivable to apply cryptographic protection.
Vulnerable apps. The leaks have been reported to the relevant parties