Last mile authentication problem: Exploiting the missing link in end-to-end secure communication

Conference:  Defcon 26



The presentation discusses the vulnerabilities of inter-process communication (IPC) in various applications, particularly in password managers, and proposes solutions to mitigate these vulnerabilities.
  • IPC in client-server architecture may be vulnerable to various types of attacks
  • Standalone password managers are particularly vulnerable due to lack of authentication between the browser extension and the app
  • RoboForm is an example of a password manager with no authentication between the browser extension and the app
  • OnePassword is an example of a password manager with attempted protection of IPC channel, but with an insecure protocol and lack of server verification
  • Native messaging is a more secure alternative to IPC, but still has limitations
The presentation provides examples of how attackers can exploit IPC vulnerabilities in password managers to collect user data, such as usernames and passwords entered on web forms.


With "Trust none over the Internet" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected. This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this "last mile" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable.



Post a comment

Related work

Conference:  Defcon 31
Authors: Ryan Johnson Senior Director, R&D at Quokka, Mohamed Elsabagh Senior Director, R&D at Quokka, Angelos Stavrou Founder and Chief Scientist at Quokka