‘Our mission was to get access to a victim’s plaintext password, by whatever means’

A security researcher has found a way to extract credentials from a password manager’s API, in an attack that earned a $1,000 bug bounty bonus for creativity.

The technique – which can be employed when X-Frame-Options headers are not set on responses that contain sensitive information – was developed by Inti De Ceukelaire (@securinti) at a HackerOne live event last year.

“The target was a password & identity provider, so we knew stakes were high,” Ceukelaire writes in a blog post published last week.

“Our mission was to get access to a victim’s plaintext password, by whatever means.”

Thinking outside the box was the name of the game, Ceukelaire explains.

“In order to view the password, you had to press a button that would trigger an xhr request to the endpoint /api/reveal-password/APP_ID, which would reveal the password to the user.”

At this stage, Ceukelaire noticed that the target password manager did not have any X-Frame-Options headers enabled – an HTTP response header that ensures content will not be embedded on other sites.

However, the use of cross-origin resource sharing meant that a user’s password could not be viewable within the iframe.

“So unless we could find a way to visually extract the password from the iframe, this would be a dead-end,” the researcher said.

Pixel perfect

Ceukelaire was able to isolate each character of a victim’s password through CSS positioning tricks, such as knowing the dimensions of an element presented within the code.

“I started playing around with the iframe for a bit and set the width to 30px,” he explains. “Then I came to the conclusion that every character had exactly the same size of 8 x 15px.”

A victim’s password could then be displayed back to them by putting each character in a separate iframe.

“It may seem a little bit threatening, but unless we find a way to extract the password, it’s useless,” Ceukelaire said.

The solution was to build a CAPTCHA form that would scramble the password and force the user to input the characters in what they would think was a regular security check.

“This could work for people that use randomly generated passwords, but in other cases this wouldn’t have much success (I mean — what kind of idiot would fall for that?),” Ceukelaire said.

A similar CAPTCHA attack was presented in 2016 by Nethanel Gelernter and Amir Herzberg at the International World Wide Web Conference in Montreal.

Ceukelaire was awarded a $100 bounty for the discovery of the vulnerability, and an added $1,000 for creativity.

“This must have been the report where the bonus was ten times as high as the actual bounty,” he said, adding how he would “probably also fill in the password-captcha without blinking twice”.

In order to prevent such attacks, it is recommended to implement X-Frame-Options on every single response.

The Daily Swig has reached out to Ceukelaire for comment.


RELATED New tool highlights shortcomings in reCAPTCHA’s anti-bot engine