Advisory for CVE-2019-6481 | Abine Blur Web Extension

Multi-Factor Authentication and macOS disk-encryption bypass for Abine Blur Web Extension 7.8.243*

Background

Abine Blur is a privacy-focused suite of products focused on protecting your privacy online. They accomplish this via multiple means including:

  • Credit card masking (disposable credit card #s)
  • Email masking (disposable emails)
  • Cell phone masking (sms/voice capable)
  • Password management

This suite is delivered via a web application (https://dnt.abine.com) and a pair of browser extensions / mobile apps (iOS, Android).

This vulnerability was discovered in CVE-2018-7214 , but 2019-6481 was opened due to a regression of version 7 of the codebase.

Please upgrade your plugin to version 8.0.2478 . Major browsers should handle this automatically.

Description

The Password Manager Extension in Abine Blur 7.8.243* allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data, because the right-click context menu is not secured. NOTE: this vulnerability exists because of a CVE-2018-7213 regression.

Abine Blur 7.8.243* failed to secure the right-click context menu, allowing an attacker with either physical access or remote-desktop access to disclose passwords, emails, and usernames of the victim without triggering a second-factor request.

POC

  1. Navigate to any page with a login form, click on the username field, and have the Blur auto-filler form appear a. This action will reveal if the user has any TouchID protected accounts on this domain. (NOTE: At time of writing, Blur does not have the capability to detect different subdomains, and will show all acounts on that domain) cvepoc1 Selecting the protected account would trigger a push notification asking for TouchID auth on the mobile device. cvepoc25
  2. Instead of selecting the account from this menu, right click while selecting the form field, navigate down to the Blur sub-menu, and then accounts a. Each user account will be grouped via email (or username if no email provided) and displayed here cvepoc2
  3. Repeat step 2 for each field on the form that requires user login data (username, email, password, etc) a. The Right-Click menu does NOT trigger a 2FA request to the mobile device, allowing an attacker to log into a sensitive service without the user knowing. cvepoc3

An additional vulnerability was discovered causing a MacOS disk encryption from the console as well. This was not disclosed.

Criticality Assessment

This attack would allow a remote or local user to access, and potentially edit or modify user data while bypassing the 2FA system designed to alert and require a second form of authentication from users. It could also allow the bypass the macOS disk encryption software used to protect the Blur data.

Timeline of Events

  • 2019-01-13: Discovery of Vulnerability
  • 2019-01-14: Vendor Contacted & Response, Requests time to fix
  • 2019-01-14: MITRE Contacted for CVE
  • 2019-01-16: MITRE Confirms & Issues CVE (CVE-2019-6481)
  • 2019-02-11: Vendor Contacted with request for update
  • 2019-02-14: Vendor Response, reports fix is in processing/review with browser stores, 2wks needed
  • 2019-03-14: Vendor Issues 8.0.2478 for Chrome
  • 2019-03-18: Vendor starts Mozilla / Opera approval process, OK’s Public Disclosure.

Thanks to Andrew @ Abine for assisting and cooridinating with me on this CVE entry. Thanks to Jay Gala for teaching me about Responsible Disclosure @ the GMU Precollege Cyber Security Program

Phone

(703) 214-4670

Address

VA United States of America