Security issue: ThinkVantage Password Manager

[claudeo]

A vulnerability with password managers in general has been discussed in various forums.
See http://www.info-svc.com/news/11-21-2006/ for a description of the exploit.

More specific discussion focused on the password manager in FireFox see http://www.dslreports.com/forum/remark,17319516

So I got curious, because the ThinkVantage password manager seems to use a similar technique to FireFox to detect when to inject login and password. A quick test, using the test page in the first link, showed that the ThinkVantage password manager appears to be vulnerable as well.

[JHEM]

How did you test the Thinkvantage PW manager?

Obviously a security doorway that needs to be closed.

James

[claudeo]

How I tested: Password manager is configured "normally" -- it is version 2.0.0 and "watches" web pages for login prompts, then later fills in the fields and triggers the login automatically.

I went to http://www.info-svc.com/news/11-21-2006/ and clicked the proof of concept link in the middle of the page. This took me to another web page with a login prompt, where Password Manager dutifully popped up a prompt asking me whether I wanted to remember this password and login info. I typed in "foo" for login and "bar" for password. Sure enough, this got captured by password manager and then it looks like it got recaptured from password manager by the proof of concept exploit. See the link above for an explanation of how the exploit works.

A workaround with Password Manager seems to be to turn off the automatic login option (allow PM to fill in the data, but not log in automatically) unless you can trust the site will never contain anything injected by a third party (such as a blog post). By not allowing automatic activation of the login, you can detect that this is happening and simply navigate manually from any suspicious looking situation.

I just hope someone can prove me wrong on the vulnerability.

[USSS]

Results in testing the alleged exploit on my machine are inconclusive with respect to IE6. I do not use Firefox; however, this type of exploit should be investigated by all browser software vendors.

I saved my "test" login/password combo using the ThinkVantage Password Manager, which is linked to my fingerprint reader that is configured for "secure" (not "convenient") mode.

When I was redirected to the Google site after logging in, the address bar at the Google site did NOT reveal my selected test login/password combo.

Here is what appeared in my IE6 address bar:

Code: Select all

http://www.google.com/search?q=Chapin+Information+Services&loginuser=&loginpass=&x=15&y=9

For now, further testing appears necessary to confirm this as a true exploit across various browser platforms.

[claudeo]

Steve, with the PM configured for "convenient" mode by default, the login and password values did appear in the link. So it looks like using "secure" mode helps prevent the problem.

BTW, you can mix the modes. My critical sites are all configured for "secure" mode (which can be a pain, since you have to right-click each entry in the PM entries list then choose Properties to change the mode). But auto activate is definitely off for all.

[USSS]

Steve, with the PM configured for "convenient" mode by default, the login and password values did appear in the link. So it looks like using "secure" mode helps prevent the problem.

Interesting...Lenovo certainly needs to be advised about this. No telling how many users are running PWM (ThinkVantage Password Manager) in default mode that would expose them to this exploit. Sigh...well, at least the "secure" mode appears safe. For now.

Thanks, Claudeo, for bringing this issue to the community's attention.