Exploiting Leakage in Password Managers via Injection Attacks

TL;DR

The paper presents a new threat model for password managers—injection attacks via cross-user sharing where an adversary injects data and observes leaked state to recover sensitive information. It identifies three general design patterns that enable leakage: application-wide vault-health metrics, URL icon fetching, and storage-saving mechanisms (compression and deduplication) in KDBX 4, and demonstrates practical attacks across ten managers. The authors provide attack templates (dictionary-style and binary-search strategies) and validate them with PoC experiments on real apps and simulated KeePassXC deployments, recovering passwords, URLs, usernames, and attachments with high efficacy. They also discuss mitigations and responsible disclosure, noting vendor deployments that separate metrics, disable certain fetches, and randomize storage to blunt side-channels, while calling for broader mitigations and design changes to secure E2EE applications. Overall, the work highlights how seemingly benign features can create leakage paths and motivates rethinking data trust boundaries and state synchronization in password managers.

Abstract

This work explores injection attacks against password managers. In this setting, the adversary (only) controls their own application client, which they use to "inject" chosen payloads to a victim's client via, for example, sharing credentials with them. The injections are interleaved with adversarial observations of some form of protected state (such as encrypted vault exports or the network traffic received by the application servers), from which the adversary backs out confidential information. We uncover a series of general design patterns in popular password managers that lead to vulnerabilities allowing an adversary to efficiently recover passwords, URLs, usernames, and attachments. We develop general attack templates to exploit these design patterns and experimentally showcase their practical efficacy via analysis of ten distinct password manager applications. We disclosed our findings to these vendors, many of which deployed mitigations.

Figures (5)

• Figure 1: Summary of the vulnerabilities discovered in this work, which lead to efficient attacks that recover sensitive information from a victim's vault. These vulnerabilities were present in ten applications we studied: LastPass (L), Dashlane (D), Zoho Vault (Z), 1Password (1P), Enpass (E), Roboform (R), Keeper (K), NordPass (N), Proton Pass (P), and KeePassXC (KX).
• Figure 2: A network adversary can observe the HTTPS packets under which a mix of E2EE data (green squares) and plaintext metadata (orange squares) is transmitted; an eavesdropper has direct access to these.
• Figure 3: Summary of the pre-conditions required for an application to be vulnerable for two of our attacks, each represented by a set of rows, and the conditions satisfied by each application we analyzed. An application that has a ✓ for all pre-conditions in a set of rows is thus vulnerable to the attack.
• Figure 4: Experimental success probability of our dictionary attack on attachments exploiting deduplication, for real-world files (first column), and for synthetic test files (each file is of some random size between between 1 and $|w|$, and contains sequences of repeated characters). Each row represents a number of candidate files. These probabilities can be amplified via repetition.
• Figure 5: Experimental success probability of our dictionary attack on usernames and URLs exploiting compression, for real-world files (first two columns), and for synthetic test files (last four columns); the left and right values denote, respectively, when the strings consist of random bytes and are all of length $w$, and when they have repeated substrings and vary in length between 1 and $|w|$. These probabilities can be amplified via repetition.