Stealthy Credential-Stealing Against Password Managers in Native App Ecosystems

Password managers significantly improve password-based authentication, by generating strong and unique passwords while also streamlining the actual authentication process through autofill functionality. Crucially, autofill provides additional security protections when employed within a traditional browsing environment, as it can trivially thwart phishing attacks due to the website's domain information being readily available. With the increasing trend of major web services also deploying standalone native applications, passwords managers have also started offering universal autofill and other user-friendly capabilities for desktop application environments. However, it is currently unclear how password managers' security protections apply in these environments. To fill that gap, in this thesis I present the first systematic empirical analysis of the autofill-related functionalities made available by popular password managers (including 1Password, Keeper and LastPass) in two major desktop environments: MacOS and Windows. We find that password managers adopt different strategies for interacting with desktop apps, and employ widely different levels of safeguards against UI-based attacks. For instance, on MacOS we find that a high level of security can be achieved by leveraging OS-provided APIs and checks, while on Windows we identify a lack of proper security checks mainly due to OS limitations. In each scenario, I demonstrate proof-of-concept attacks that allow other applications to bypass the security checks in place and stealthily steal user's credentials and one-time-passwords. Accordingly, I propose a series of countermeasures that can mitigate our attacks. Due to the severity of our attacks, we disclosed our findings and proposed countermeasures to the analyzed password manager vendors.