We’ve never been all that comfortable with the security of built-in browser password managers, but we’ve always assumed that any exploit would at least need to leverage a bug in the browser or require advanced technical skills.īut nope – it took literally just one hour to research and build a sandbox environment to confirm the flaw, with no special skills or technical tricks required at all. To be honest, we had a hard time believing this flaw was really this easy to exploit when this first came to our attention. It’s a trivial exercise to exploit this flaw, as we’ll demonstrate shortly. The consequence of this browser design is that if anyone gains access to an employee’s system, through phishing, malware, or any other exploit, then they can easily extract all usernames and passwords stored by their browser. It may “feel” like you’re secure, but are you really? If a thief can easily guess exactly where to get your key, then of course not! Think about it this way – you can put the strongest locks on every door of your house, and make sure they’re all locked tight, but you then put the key under the doormat because that’s what all your neighbors do. This gives the impression that everything is OK, which is a truly awful security design! While defaulting to this insecure storage method is bad enough, the even more inexcusable design flaw is never warning the user that they’re using an insecure storage method. And once you have a few passwords saved, you’ll be less likely to switch and start using another browser. So why in the world are they designed this way? Most likely, it’s because this is the easiest way for browsers to start prompting you to save passwords, without the extra burden of forcing users to first set the master/primary password to protect the encryption key. It just doesn’t make any sense!Įven more surprising, all of these browsers actually have mechanisms to protect their keys, by setting an additional “master” or “primary” password – but it’s not turned on by default and the browser never prompts the user to activate it! It may be difficult to believe that three major browsers all have intentionally included a feature that is so egregiously insecure. An encrypted password manager database with an unprotected key provides no meaningful protection at all for your passwords. To be perfectly clear, encryption is worthless if the keys aren’t secured. Here’s what we mean: Even though Chrome, Firefox, and Edge browsers all store passwords in encrypted databases, by default all three products intentionally leave the associated encryption keys completely unprotected in predictable locations. It’s reasonable to assume that an out-of-the box, default feature in a major brower should be pretty secure … except when it’s not, by design! While not perfect, many companies have accepted these built-in features as “secure enough.” And since browsers are constantly volunteering to save every password the user enters, it shouldn’t be surprising then if this is how your employees are keeping track of them. It’s probably a safe bet then that most employees are using their browsers to store all of their long, complex passwords. Hopefully, you have a corporate security awareness training program and have long been discouraging the first two practices, even if some people may still do them.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |