SIK-2016-035


Title:

Insecure Default URLs for Popular Sites in Avast Password Manager

Report ID

SIK-2016-035

Summary:

  • Vendor: AVAST Software
  • Product: Avast Passwords
  • Affected Version: 1.4.1
  • Severity: Low
  • Short summary:
    The password manager app offers templates for creating entries that correspond to accounts on popular websites such as Facebook. Many of these templates, however, use an insecure http URL. If the user creates an entry using such a template and then uses the auto-login feature of the password manager, his password is transmitted to an http page that can be spoofed to steal the user’s credentials.

Details:

When the user creates a new entry in his password database, he can choose from various presets for popular services. In this case, he must only enter his credentials, but is automatically provided with the correct URL and logo of the service. Unfortunately, some of the presets contain http URLs instead of ones using https, despite https being available for many of these services. Consequently, the user who creates his password database entries from the presets uses an insecure connection by default, effectively circumventing the “https by default” policy of modern web browsers when launching the web site from the password manager app. In combination with the previous vulnerability, this facilitates credential stealing.

This vulnerability makes it easier for an attacker to intercept the interactions of the users with popular services, because of the insecure default scheme passed to the web browser. In combination with the previous vulnerability, this allows for easier password stealing. Similar limitations apply, the attack can be avoided through the https enforcement for popular sites built into modern browsers or the HTTP Strict Transport Security flag set by some websites.

Workaround

Disable automatic filling. Make sure to use a browser that enforces https connections for popular sites.

Suggested Mitigation

The password manager should make sure that the presets use the most secure schemes available for the respective service. If both http and https are available, the latter should always be preferred.

Timeline

  • 2016-11-21 Vulnerability Reported
  • 2016-12-05 Vulnerability Fixed