Session Identifier are for Now, Passwords are Forever - XSS-Based Abuse of Browser Password Managers

Explore the vulnerabilities of browser-based password managers and their susceptibility to Cross-site Scripting (XSS) attacks in this comprehensive Black Hat conference talk. Learn how XSS can be leveraged to access and leak stored passwords, despite protective measures like HTTPonly Cookies. Examine the current generation of password managers across major browsers, and discover findings from a large-scale study on password field usage in popular websites. Gain valuable insights into attack patterns, security considerations, and receive recommendations for both website operators and users to safeguard against these threats. Delve into topics such as the Same-Origin Policy, types of XSS, HTML5 autocomplete, and proposed solutions to enhance password manager security.

Intro
Browser choices
The Same-Origin Policy
XSS - the underlying problem
XSS - what an attacker can do
Types of XSS
Isn't XSS so 2010?
Passwords on the Web
Solution: A Password Manager
Password Managers and XSS
Security Considerations
Five key features of PW Managers
HTML5 autocomplete
Our notion vs. Google's notion
What are login forms like out there?
Analysis of Web password fields
Similar attacker model
Comparing the attacks
Bottom line
Mismatch in notion/implementations
Our proposed solution
Constraints for this approach
PoC Implementation
Functional evaluation
What to take away!