Keepassxc: Check window title when using global Auto-Type in browser windows to prevent password leaks
Summary
Add security checks for the use of global Auto-Type in browser windows to ensure that KeePassXC doesn't dump the user's password when the user switches to a different tab in the same window, as shown below.
Context
Currently, global Auto-Type only verifies the window title at the beginning. If the user switches to a different tab after activating Auto-Type, KeePassXC will start writing to that tab instead. This may lead to user passwords being posted to messaging apps such as Slack, WhatsApp Web and Skype Online, especially if the Auto-Type sequence includes a delay parameter. A common example of this, which works with highly popular services such as Gmail and Outlook, is: {USERNAME}{ENTER}{DELAY 2000}{PASSWORD}{ENTER}. This issue seems to work regardless of the browser or operating system. It was tested on KeePassXC 2.5.4 on Widows 10 (Firefox, Brave, Chrome, Edge) and Debian-based Linux (Firefox, Brave, Chrome).
Suggestion 1:
- Ideally, KeePassXC would constantly check if the window title has not changed during Auto-Type and stop typing when it registers a change, such as when a user switches to a different tab.
Suggestion 2:
- If suggestion 1 is not feasible, or as an addition, KeePassXC should check if the window that matches the global Auto-Type window title is most likely a browser before starting Auto-Type, and suggest that users switch to the browser extension. A similar warning prompt would also be a great addition for Ctrl+Shift+V Auto-Type, which can be the most dangerous of all, since it doesn't check for window titles and the user has to make sure the correct window is in focus.
kalba-security
All 8 comments
I initially disclosed this issue to @phoerious on the Riot.im dev web chat. They requested me to open this feature request and mention the suggested solutions.
kalba-security
on 27 Apr 2020
This change could have unintended consequences. What if the application changes the title for reasons unrelated to tab switching. How about applications that add asterisk or similar to window titles when changes are made.
droidmonkey
on 27 Apr 2020
I was indeed wondering if such a safety measure would lead to many false positives, but it would be the only way to make Auto-type aware of browser tab changes.
phoerious
on 27 Apr 2020
Yeah I understand that suggestion 1 may not be feasible because of false positives. In either case, suggestion 2 (a user prompt) would still be a useful addition.
kalba-security
on 27 Apr 2020
Also, if checking for changes to the window title seems unfeasible as a default feature, it would be great if KeePassXC still included it as an optional feature, just like KeePass does:
In KeePass this is available as an advanced feature, which does prevent password leaks when switching tabs, so it should be possible to include this functionality in KeePassXC as well.
kalba-security
on 28 Apr 2020
I think it's a good suggestion. I recently switched to auto-type and prefer it to be in doubt too restrictive too. It's better when it doesn't work one time than creating a leak. I see also other cases were auto-type can be dangerous.
But I understand droidmonkeys criticism too. I depends probably on your own use-cases. An option for this seems like the best solution to adapt it to your own needs.
kraoli
on 9 Jul 2020
Yeah I fully agree. I still hope this option can be added.
kalba-security
on 9 Jul 2020
Edit distance may be used here
deflock
on 15 Jul 2020
Related issues
bleepnetworks
路
3Comments
shyim
路
3Comments
amvasilyev
路
3Comments
haroldm
路
3Comments
MountainX
路
3Comments
Most helpful comment
Also, if checking for changes to the window title seems unfeasible as a default feature, it would be great if KeePassXC still included it as an optional feature, just like KeePass does:
In KeePass this is available as an advanced feature, which does prevent password leaks when switching tabs, so it should be possible to include this functionality in KeePassXC as well.