Browser Password Managers

Written By Input Drive

a case of browser password managers

do users put too much trust in the client-side browsers?

do users put too much trust and faith in the client-side browsers being able to stop malicious javascript?

Initial writeup 12-01-2022

I have recently stumbled onto password manager confusion vulnerability. (proof-of-concept idea)

I use words user and client-side, they are related and interchangeable.

TL;DR Microsoft Edge (Chromium) password manager feature can’t distinguish between subdomains, leading to possible password phishing and confusion attacks.

It appears that website which have (various levels) subdomains, for their respective customers such as workday.com and myworkdayjobs.com causes the password manager to only match on the domain, ignoring the (thousands) subdomain(s) differences. I would suspect that sides as payroll are also susceptible to this, adp.com or paychex.com

sub2.sub1.example.tld.

sub1.example.tld.

Why does it matter?

The password manager will automatically populate the password for a wrong (sub2, sub1) subdomain. Password manger does this since it doesn’t make distinction between subdomains. In the case of workday.com they are different clients of workday, and in some cases rival companies.

User has no way to identify if the populated username and password is for the subdomain in question.

User hits enter and has no quick or easy way to verify the auto-populated password is not for the correct website. As a result the populated password is now available to the site code (thanks javascript) has access to the password.

This needs to be validated on webkit browsers, as it was discovered on chromium;

Microsoft Edge Version 107.0.1418.62 (Official build) (64-bit)

If client-browser has active browser extensions, they too, now can read the loaded password(text) in the password field.

If the user(client) reuses passwords, that password is now compromised for any site where the password is used.

If the user doesn’t reuse password, they have just provided the wrong username & password and or hash to the site (logs) not intended by the user (client-side). This means the user can get phished or confused with a link to have the client-side browser provide sensitive information into the loaded form which the client-side browser password manager can’t distinguish as different.

Example of domain vulnerable to password manager confusion.

{CompanyName}.wd{1,3,5}.myworkdayjobs.com

#PasswordManager #Chromium #Edge #Confusion #cwe203

https://cwe.mitre.org/data/definitions/203.html

Input Drive

https://x.com/greg_inputdrive
Previous

troubleshooting DNS
Next

DNS security