Search Icon
2027 Submissions

Vault Raider: Stealthy UI-based Attacks Against Password Managers in Desktop Environments

Andrea Infantino (University of Illinois Chicago), Mir Masood Ali (University of Illinois Chicago), Kostas Solomos (University of Illinois Chicago), Jason Polakis (University of Illinois Chicago)

Password managers significantly improve password-based authentication by generating strong and unique passwords, while also streamlining the actual authentication process through autofill functionality. Crucially, autofill provides additional security protections when employed within a traditional browsing environment, as it can trivially thwart phishing attacks due to the website's domain information being readily available. With the increasing trend of major web services deploying standalone native apps, password managers have also started offering universal autofill and other user-friendly capabilities for desktop environments. However, it is currently unknown how password managers' security protections operate in these environments. In this paper, we fill that gap by presenting the first systematic empirical analysis of the autofill-related functionalities made available by popular password managers (including 1Password and LastPass) in major desktop environments (macOS, Windows, Linux). We experimentally find that password managers adopt different strategies for interacting with desktop apps and employ widely different levels of safeguards against UI-based attacks. For instance, on macOS, we find that a high level of security can be achieved by leveraging OS-provided APIs and checks, while on Windows we identify a lack of proper security checks mainly due to OS limitations. In each scenario, we demonstrate proof-of-concept attacks that allow other apps to bypass the security checks in place and stealthily steal users' credentials, one-time passwords, and vault secret keys through unobservable simulated key presses. Accordingly, we propose a series of countermeasures that can mitigate our attacks. Due to the severity of our attacks, we disclosed our findings and proposed countermeasures to the analyzed password manager vendors, which has kickstarted the remediation process for certain vendors and also been awarded a bug bounty. Finally, we will share our code to facilitate additional research towards fortifying password managers.

Paper
Slides
Video

View More Papers

Enhancing Website Fingerprinting Attacks against Traffic Drift

Xinhao Deng (INSC, Tsinghua University and Ant Group), Yixiang Zhang (INSC, Tsinghua University), Qi Li (INSC, Tsinghua University, State Key Laboratory of Internet Architecture, Tsinghua University and Zhongguancun Laboratory), Zhuotao Liu (INSC, Tsinghua University and Zhongguancun Laboratory), Yabo Wang (DCST, Tsinghua University), Ke Xu (DCST, Tsinghua University, State Key Laboratory of Internet Architecture, Tsinghua University…

Read More

Formal Analysis of BLE Secure Connection Pairing and Revelation...

Min Shi (Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University), Yongkang Xiao (Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University), Jing Chen (Key Laboratory of Aerospace Information Security and Trusted Computing,…

Read More

DQN-IDS: A Deep Reinforcement Learning Approach for Open Set-Enabled...

Shreyash Tiwari (Computer and Information Science, University of Massachusetts Dartmouth), Nathaniel D. Bastian (Electrical Engineering and Computer Science, United States Military Academy), Gokhan Kul (Computer and Information Science, University of Massachusetts Dartmouth)

Read More