SIK-2016-031


Title:

Subdomain Password Leakage in Internal Dashlane Password Manager Browser

Report ID

SIK-2016-031

Summary:

  • Vendor: Dashlane
  • Product: Dashlane Password Manager
  • Affected Version: Version Code=1378, Version Name=”4.3.3.1378-armeabi-v7a”
  • Severity: medium
  • Short summary:
    The delivered Dashlane browser can automaticaly fill out password forms of web sites. But the browser can not distinguish password fields of different subdomains.

Details:

The Android app dashlane does not distinguish subdomains when inserting passwords into web forms in its internal browser. If an attacker is able to register a subdomain within the same domain as the target, he can obtain the password of the target. Assume that the user has stored a password for “domain1.wordpress.org”. The attacker registers “domain2.wordpress.org”, which is easily possible, because the centrally-hosted WordPress service gives out free subdomains for new blogs. Assume further that the user opens “domain2.wordpress.org” in the password manager’s internal web browser. The password manager will now assume that the credentials stored for “domain1.wordpress.org” are also applicable to “domain2.wordpress.org”, because it only compares “wordpress.org” as the URL, not the subdomains. As a consequence, the wrong credentials are filled into the web form of the attacker-controlled domain “domain2.wordpress.org”. The attacker-controlled website can then leak these credentials to the attacker.

The issue allows an attacker to extract credentials stored in the password manager for other domains as long as he is able to register a subdomain under the same domain as the target for which he wants to obtain the credentials. Consequently, restricted domains for which no new subdomains can be obtained are safe with regard to this attack. On the other hand, popular domains such as wordpress.org or tumblr.com as well as many free website hosting providers that give out subdomains are affected. For all these domains, credentials stored in the password manager are at risk.

The attacker cannot directly derive the originally subdomain, but using social engineering techniques he can for instance derive form the username/email a possible target.

Workaround

Avoid storing passwords for services working with subdomains (e.g. wordpress.org).

Suggested Mitigation

Store full domain for stored passwords.

Timeline

  • 2016-09-23 Vulnerability Discovered
  • 2016-09-26 Vulnerability Reported
  • 2016-10-25 Vulnerability Fixed