Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Password Management Concerns with IE and Firefox, part two

Created: 10 Dec 2006 • Updated: 10 Mar 2010 | 2 comments
Anonymous's picture
0 0 Votes
Login to vote

by Mikhael Felker

Introduction and review of part one

This article presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems: those found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

  • Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).
  • Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially address in part 1; continued now in part 2)
  • False sense of security: Users employing password managers without any awareness of the risk factors.
  • Usability: Features that enhance or deter the usability of security features.
  • Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk.

Part one of this article concluded just after discussing two JavaScript attacks against web browsers. Readers should review part one before continuing on with this article.

We now continue the discussed by looking at more attacks on Password Managers. The author will then address the remaining goals of the article - in particular, how the use of password managers give users a false sense of security, usability issues, and important mitigation and countermeasures.

To maintain consistency, section numbers (5.1, 5.2, etc.) now continue from where part one left off.

5.2 Firefox 2.0 password manager implementation flaw (JavaScript reverse cross-site scripting)

Firefox's password manager (version 2.0) as of Novermber 2006 has a software flaw that allows a user's credentials (from the site being currently visited) to be posted to any URL if the user clicks a maliciously crafted link. [ref 22] The vulnerability, now being called as Reverse Cross-Site Request (RCSR), derives from the fact the browser does not control the URL to which credentials are sent via web forms. The user must have previously visited the site and had the password manager save the credentials for the attack to work. This information stealing tactic has been carried out on MySpace.com and was discovered by CIS. [ref 23] Social networking sites that allow users to post pure HTML are most susceptible.

RCSR is more potent than the attack described in section 5.1 (in part one of this article) because the XMLHttpRequest does not allow requests outside the current domain. Additionally, the link (action that allows the form to submit) can appear in the form of an embedded video, webcast, or perhaps game making it increasingly covert.

5.3 Revealing Internet Explorer passwords

5.3.1 Password recovery

Many companies now have commercial software to recover passwords from IE's AutoComplete. ElcomSoft produces the Advanced Internet Explorer Password Recovery (AIEPR) program. [ref 24] As stated on its website it can recovery any AutoComplete information on any of IE versions from 3 to 6, as long as the user is logged in. Freeware programs such as PassView [ref 25], which works for IE versions 4 through6, and IEPassView, for IE7 [ref 26], are also available.

5.3.2 Malware

Internet Explorer is usually a prime target for malware infection. However as it relates to this article, these vulnerabilities converge at a dangerous point where malware programs are specifically targeting AutoComplete information. These programs gain confidential information, and then send it back to the attacker. BackDoor-AXJ [ref 27] is a Trojan program that stores AutoComplete and other information on a victim machine, and then sends the information back to the controller. Srv.SSA-KeyLogger [ref 28] is a backdoor that installs covertly on Internet Explorer and acts as a key logger. The backdoor also covertly turns on AutoComplete, steals data from Protected Storage and sends it back via the HTTP GET method.

5.4 Revealing Firefox passwords

5.4.1 Easily accessible clear text passwords

For users unfamiliar with the Firefox Password Manager, anyone who is logged in with physical access to the computer can view passwords in cleartext when navigating the following:

On Windows XP:

    Firefox 1.5
    Tools | Options | Privacy | Passwords | View Saved Passwords | View Passwords | Show Passwords

    Firefox 2.0
    Tools | Options | Security | Show Passwords | Show Passwords

5.4.2 Master Password Attacks

Recently, tools have been developed to perform password attacks on the Master Password in Firefox. The following attacks are currently feasible:

  • Brute force
  • Dictionary
  • Hybrid

Firemaster is a password cracker that was designed to derive the Master Password in Firefox . [ref 29] The tool, written in C++, was released by N. Y. Talekar in early January 2006; the source code is current available online. Other tools written in C with scripting functionality have also been developed . [ref 30] As a result of the development of these tools, the confidentiality of the password database is completely reliant on the Master Password to withstand these attacks. Needless to say poor password choice (lowercase dictionary words) can be cracked in microseconds. Moreover, having no password will disclose the password database immediately. This is essentially equivalent to navigating the options menu in Firefox to Show Passwords.

5.4.3 Multiple username/password entries per URL

Firefox has an interesting feature in that it will allow multiple authentication entries to be entered in for a web site. For instance lets say two fictional characters, Alice and Bob, use Firefox Password Manager on the same Windows XP user account but have different banking accounts on the same web site (www.pncbank.com). The Password Manager will allow multiple username and password pairs. The Password Manager will distinguish when to use each web account based on the username and automatically fill the password field. This feature provides the ability to view the other person's credentials, such as the following:

    URL
    bob
    k9x763s
    alice
    n63ld23f

Based on security models, no two individuals should be using the same computer user account; however this scenario is still a security risk because not all organizations follow best practices. Additionally there is a similar concern if a username/password pair is accidentally entered incorrectly for a specific site (such as mistakenly switching two logins for different banking sites). That information will be stored (even though it's not used), and could be compromised some time in the future without the knowledge of the participant.

5.4.4 Denial of Service Attacks

Any user or program with right permissions to a user's local profile on the file system can potentially attack the integrity and availability of the Password manager. If vital files (keyN.db, certN.db, secmod.db, signons.txt) are deleted or modified the result would be that no usernames or passwords are recoverable. The most important of these files are KeyN.db and signons.txt, which hold private keys and encrypted data, respectively.

In order to ensure integrity and availability of the password database it would be prudent to copy keyN.db, certN.db, secmod.db, and signons.txt to a secure location. Thus if those files are modified or deleted and the Password Manager is no longer available, it would still be possible to recover the password database by copying the files back to the Firefox profile directory.

Continued on page 2...


[ref 22] "Firefox Password Manager Information Disclosure." http://secunia.com/advisories/23046
[ref 23] "CIS Finds Flaws in Firefox v2 Password Manager." http://www.info-svc.com/news/11-21-2006/
[ref24 ] AIEPR, http://www.elcomsoft.com
[ref 25] N. Sofer, "Protected Storage PassView," http://www.nirsoft.net/utils/pspv.html
[ref 26] N. Sofer, "IE PassView v.1.00," http://www.nirsoft.net/utils/internet_explorer_password.html
[ref 27] BackDoor-AXJ, McAfee, June 2004. http://vil.nai.com/vil/content/v_100488.htm
[ref 28] Srv.SSA-KeyLogger, Counter Spy Research Center, http://research.sunbelt-software.com/Advisory.cfm
[ref 29] N. Y. Talekar, Firemaster: firefox master password cracker, 2006. http://nagmatrix.50webs.com/article_firemaster.html
[ref 30] "Mozilla saved passwords recovery (export) utility," 2005, http://wejn.org/stuff/moz-export.html, (Accessed March 2006).

6. False sense of security

Users are neither fully aware nor informed of the risks when they perhaps naively make use the password management systems of web browsers. The danger in this lies with carelessness in saving any username and password whether it is for accessing a simple news group or something more discrete and sensitive like financial information at an online brokerage. Users expect that the browser, possibly in conjunction with the operating system, will protect their information and abstract the security mechanism. In reality, the threat of complete compromise could be realized more easily than users perceive. Web browsers as applications are particularly dangerous in that they are installed in most computer systems, used by everyone, and store all usernames and passwords that the user enters. The confluence of these factors makes web browsers a particularly tempting target for unscrupulous malicious actors.

7. Usability

The usability features of password management of Internet Explorer and Firefox are outlined below in Table 2. Some key differences include the ability to see passwords in the clear in Firefox, but not Internet Explorer. This could be considered both as a security risk or a feature - it depends if the Master Password is set. Additionally Firefox has a very useful feature that allows usernames and passwords to be for specifically excluded for certain sites (e.g. highly sensitive credentials for certain sites that cannot tolerate high risk of exposure might be included). In AutoComplete this choice is only made once and cannot be easily changed unless going to the obscure registry keys. AutoComplete does however have an advantage on the Password Manager in that the user can choose whether to save URL, username or password, not mandating all three to be saved such as in Firefox.

Feature Internet Explorer 7 Firefox 2.0
Prompted for saving passwords yes yes
Ability to easily change per website preference "saved" vs. "not saved"   yes
Ability to NOT save any information in forms yes yes
Ability to easily access passwords in plaintext   yes
Ability to choose to save URL, usernames, or passwords yes  


Table 2. Comparison of Usability Features (IE and Firefox).

8. Defense strategies

8.1 User based defenses

8.1.1 Avoidance

One method to prevent password compromise is to refrain from using either IE or the Firefox password manager. This however might tempt users to choose the same password for more sites, which is detrimental to security posture. Thus avoidance should be employed if there is alternative method to be substituted for it. There is also a chance a user might accidentally save passwords in the course of regular browsing.

8.1.2 Disable password manager

This would prevent the password manager from the ability to save usernames and passwords however might fall pray to similar issues as avoidance. This strategy is different from the web based approach that will be discussed in section 8.2.

8.1.3 Alternative "proven" password managers

One common way users store passwords is in a general application called Password Safe . [ref 31] Originally designed by Bruce Schneier [ref 32], the open-source windows utility is now a popular method of storing and accessing passwords. Passwords are encrypted with the Schneier's Blowfish block cipher and protected by a Safe Combination (master password).

Prudence and hesitation should be practiced before using any new program. However, a program whose sole intention is to store sensitive information has more narrow focus than any web browser with a password saving feature. The narrow focus of this open source password manager, and its design by a well-known cryptographer, are reasons to keep it as an option for further evaluation. The comparative disadvantage is that both AutoComplete and Password Manager provide convenience and simplicity to users; there is no need to switch applications to gain access to usernames and passwords.

8.1.4 Password Complexity

As noted in previous sections having a strong master password can go a long way in preventing some attacks.

As previously mentioned, Internet Explorer does not allow you to choose a master password for AutoComplete; the security of information stored with AutoCompete is tied directly to the Windows user account password. Choosing a stronger Windows password will provide some minimal additional protection. However, for those actors employing RainbowCrack, Windows passwords are compromised within minutes. Creating a stronger password in Password Manager for Firefox can significantly reduce the risk of compromise. A good password encompassing a length greater than eight, with random special characters, and a good mixture of alphanumeric characters can significantly add protection. Distributed password cracking attacks are possible on the Firefox Password Manager, but have not made it to the mainstream, and those employing greater prudence might escape victimization. In any case, users of Firefox gain an extra layer of protection by using a password as compared to their IE counterparts.

8.2 Web Developer based remediation

In the scope of web development, commerce sites and financial institutions can perform certain actions in protecting users from future password compromise. Both Internet Explorer and Firefox have the ability to prevent password saving if the attributes of the <INPUT> tag in HTML are properly set. [ref 33] For instance, the example below is adopted from the MSDN site and shows how easy it is to incorporate this change into any website. Using this method, institutions that are risk averse can prevent their visitors from saving their password in either IE or Firefox.

This text value will be SAVED:

    <INPUT TYPE="text" NAME="password" AUTOCOMPLETE="ON">

This text value will NOT BE SAVED:

    <INPUT TYPE="text" NAME="password" AUTOCOMPLETE="OFF">

Banks that use this feature include Washington Mutual, Chase Manhattan as well as others including Fidelity, E*Trade, Vanguard, Schwab, and so on. Some organizations that do not use this feature include the PNC Bank Oppenheimer funds. If every website followed this practice, the result would cancel out any benefit from the use of password managers in browsers. Thus this method should be evaluated by each organization individually to determine if it is an appropriate solution. Using this method does not guarantee the client is safe, as pointed out in section 5.1. HTML and JavaScript can be modified at the client level, switching the "OFF" to "ON."

8.3 Windows enterprise security remediation

It is possible to disable Internet Explorer's AutoComplete feature for enterprise security. The use of Group Policy Objects (GPO) is an easy way to manage a large number of computer systems by controlling user and machine settings by editing a single policy. Using Windows Server 2003 in an Active Directory environment, it is possible to disable AutoComplete settings [ref 34] over an entire corporation or organization.

9. Conclusion

Risk of subversion and compromise to the password storage mechanisms of web browsers such as Internet Explorer and Firefox need further evaluation. Any system that controls the keys to the kingdom or many kingdoms should be further scrutinized. Users need to become more aware of the risks and benefits of using password management systems. Current methods of mitigation such as avoidance, immobilization, alternative storage, and password complexity are only temporary solutions. Users expect security to be transparent, usable, and secure. Thus the next generation of password management systems should take all those considerations into account for design decisions.

10. Acknowledgments

Thanks to Sasha Romanosky, Adrian Perrig, Alessandro Acquisti, Timothy Summers, Eric Doversberger, and Michael Cole for their feedback in improving the article.

Complete references for part 2

[ref 22] "Firefox Password Manager Information Disclosure." http://secunia.com/advisories/23046
[ref 23] "CIS Finds Flaws in Firefox v2 Password Manager." http://www.info-svc.com/news/11-21-2006/
[ref24 ] AIEPR, http://www.elcomsoft.com
[ref 25] N. Sofer, "Protected Storage PassView," http://www.nirsoft.net/utils/pspv.html
[ref 26] N. Sofer, "IE PassView v.1.00," http://www.nirsoft.net/utils/internet_explorer_password.html
[ref 27] BackDoor-AXJ, McAfee, June 2004. http://vil.nai.com/vil/content/v_100488.htm
[ref 28] Srv.SSA-KeyLogger, Counter Spy Research Center, http://research.sunbelt-software.com/Advisory.cfm
[ref 29] N. Y. Talekar, Firemaster: firefox master password cracker, 2006. http://nagmatrix.50webs.com/article_firemaster.html
[ref 30] "Mozilla saved passwords recovery (export) utility," 2005, http://wejn.org/stuff/moz-export.html, (Accessed March 2006).
[ref 31] Password Safe. http://passwordsafe.sourceforge.net/
[ref 32] Bruce Schneier, Password Safe, http://www.schneier.com/passsafe.html
[ref 33] Mozilla Development Center, "How to Turn Off the Autocompletion Feature", 2002, developer.mozilla.org
[ref 34] TechNET, "Internet Explorer Maintenance Extension Technical Reference", technet.microsoft.com, (Accessed April 2006)

About the author

Mikhael Felker is a graduate student of Information Security Policy and Management at Carnegie Mellon University.

Reprints or translations

Reprint or translation requests require prior approval from SecurityFocus.

© 2006 SecurityFocus

Comments?

Public comments for Infocus technical articles, as shown below, require technical merit to be published. General comments, article suggestions and feedback are encouraged but should be sent to the editorial team instead.

This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.

Comments 2 CommentsJump to latest comment

JEskenazi's picture

Browsers need to undergo more intensive usability testing in order to ensure that the features that they come with help the users with their workflow instead of slowing them down. On top of that, security is a big concern too. I am pretty sure encrypting the saved passwords using a master password would be acceptable to most users.

0
Login to vote
SamuelX's picture

Ignorance in the part of users is the prime cause of password compromising. Either they don't know how to best utilize the browser password manager or avoid the common warning. The best way is that you can choose a good password manager tools. These tools have great features and their data is stored by 256-bit AES data encryption method. Also most of them use SSL in data commnication and sharing. For imporatant sites like financial sites you can use one of these. But for common sites like entertainment sites or news sits you can safely use the browser password manager. 

password manager

0
Login to vote