Exploiting Leakage in Password Managers via Injection Attacks

TL;DR

This paper investigates injection attack vulnerabilities in password managers, demonstrating how adversaries can extract sensitive data by injecting payloads and analyzing protected states, leading to practical exploits across multiple applications.

Contribution

It identifies common design flaws in password managers that enable injection-based attacks and provides attack templates validated on ten different applications.

Findings

Successfully recovered passwords, URLs, usernames, and attachments

Disclosed vulnerabilities led to vendor mitigations

Developed general attack templates for exploitation

Abstract

This work explores injection attacks against password managers. In this setting, the adversary (only) controls their own application client, which they use to "inject" chosen payloads to a victim's client via, for example, sharing credentials with them. The injections are interleaved with adversarial observations of some form of protected state (such as encrypted vault exports or the network traffic received by the application servers), from which the adversary backs out confidential information. We uncover a series of general design patterns in popular password managers that lead to vulnerabilities allowing an adversary to efficiently recover passwords, URLs, usernames, and attachments. We develop general attack templates to exploit these design patterns and experimentally showcase their practical efficacy via analysis of ten distinct password manager applications. We disclosed our findings to these vendors, many of which deployed mitigations.