Andrea Infantino (University of Illinois Chicago), Mir Masood Ali (University of Illinois Chicago), Kostas Solomos (University of Illinois Chicago), Jason Polakis (University of Illinois Chicago)
Password managers significantly improve password-based authentication by generating strong and unique passwords, while also streamlining the actual authentication process through autofill functionality. Crucially, autofill provides additional security protections when employed within a traditional browsing environment, as it can trivially thwart phishing attacks due to the website's domain information being readily available. With the increasing trend of major web services deploying standalone native apps, password managers have also started offering universal autofill and other user-friendly capabilities for desktop environments. However, it is currently unknown how password managers' security protections operate in these environments. In this paper, we fill that gap by presenting the first systematic empirical analysis of the autofill-related functionalities made available by popular password managers (including 1Password and LastPass) in major desktop environments (macOS, Windows, Linux). We experimentally find that password managers adopt different strategies for interacting with desktop apps and employ widely different levels of safeguards against UI-based attacks. For instance, on macOS, we find that a high level of security can be achieved by leveraging OS-provided APIs and checks, while on Windows we identify a lack of proper security checks mainly due to OS limitations. In each scenario, we demonstrate proof-of-concept attacks that allow other apps to bypass the security checks in place and stealthily steal users' credentials, one-time passwords, and vault secret keys through unobservable simulated key presses. Accordingly, we propose a series of countermeasures that can mitigate our attacks. Due to the severity of our attacks, we disclosed our findings and proposed countermeasures to the analyzed password manager vendors, which has kickstarted the remediation process for certain vendors and also been awarded a bug bounty. Finally, we will share our code to facilitate additional research towards fortifying password managers.