Collin Jackson:
Extracting Passwords from JavaScript Password Managers

CITP Lecture Series

Date: Thursday, December 04, 2008
Time: 4:30 – 6:00 pm
Location: 101 Sherrerd Hall
Reception immediately following in 3rd floor open space

A number of commercial cloud-based password managers inject JavaScript into web pages to automatically populate and submit login forms. These password managers rely on the correct execution of their JavaScript to protect the user’s passwords, but because their JavaScript runs in a potentially untrusted security context, an attacker’s web site can steal the user’s passwords by replacing native JavaScript objects with malicious replicas. In this talk, I’ll describe general techniques for altering the semantics of native JavaScript objects, apply these techniques to extracting passwords from six commercial password managers, and propose an alternative password manager design.

Joint work with Adam Barth and Ben Adida.