Automated Password Extraction Attack on Modern Password Managers

TL;DR

This paper introduces Lupin, a tool that exploits web browser password managers to extract stored passwords from many websites, highlighting significant security vulnerabilities in current implementations.

Contribution

The paper presents Lupin, a novel automated attack tool that can extract passwords from browser password managers on non-HTTPS pages, revealing widespread vulnerabilities.

Findings

At least 28% of top 45,000 websites are vulnerable.

Lupin can extract passwords from 1,000 websites in under 35 seconds.

The attack works even on passwords embedded in HTTPS login forms.

Abstract

To encourage users to use stronger and more secure passwords, modern web browsers offer users password management services, allowing users to save previously entered passwords locally onto their hard drives. We present Lupin, a tool that automatically extracts these saved passwords without the user's knowledge. Lupin allows a network adversary to obtain passwords as long as the login form appears on a non-HTTPS page. Unlike existing password sniffing tools, Lupin can obtain passwords for websites users are not visiting. Furthermore, Lupin can extract passwords embedded in login forms with a destination address served in HTTPS. To determine the number of websites vulnerable to our attack, we crawled the top 45,000 most popular websites from Alexa's top website list and discovered that at least 28% of these sites are vulnerable. To further demonstrate the feasibility of our attack, we tested Lupin under controlled conditions using one of the authors' computers. Lupin was able to extract passwords from 1,000 websites in less than 35 seconds. We suggest techniques for web developers to protect their web applications from attack, and we propose alternative designs for a secure password manager.