Phishing Your Password Manager
--
UPDATE: The founder of 1Password responded to this blog after it was posted and explained that the majority of password managers out there leverage Mozilla’s Public Suffix List (PSL) to determine how the domain is to be treated. He looked and saw that Auth0 was not on the list for whatever reason, so it seems likely some of these password managers do actually take subdomains into consideration, as long as they’re on the PSL. It seems to me an attacker setting up a phishing campaign would want to check the PSL first to determine if this type of attack would work first. My advice remains the same, however, that no password manager should auto-complete fields by default and if a subdomain does not match where the credentials were saved for, it should not be trusted by default.
The Discovery
I believe there’s a flaw in the way most password managers today recognize unique “sites”, which introduces (what I think is) a new attack vector. All password managers should fix this. Hear me out. The debate about the security of password managers has long been settled. If you don’t already use one, you really should consider it. There, thanks for coming!
I noticed something interesting the other day when I was logging into a Single Sign-on (SSO) authentication service. If you’ve read my other blogs you’ll know I use unique usernames as well as passwords on each site I have a user account on. In this case I was logging into my employer’s threat hunting and response portal, Scope, which uses Auth0. I noticed my password manager, Blur, auto-completed the username and password input fields with values as a good password manager should. Although in this case, these credentials were for another site I previously used with Auth0, which was apparent to me because of the different usernames. My employer, Pondurance, uses Auth0’s Custom Domains feature so the login page is actually hosted by Auth0. I think you probably know where this is going. I found it odd, and insecure, that Blur (formerly known as DoNotTrack) wouldn’t recognize the subdomain in addition to the domain in order to identify the unique sites and retrieve credentials for them. It also got me thinking, what are the attack scenarios here and what other password managers are like this, if any?
The Research
