Multi-Factor Authentication and macOS disk-encryption bypass for Abine Blur Web Extension 7.8.243*
Abine Blur is a privacy-focused suite of products focused on protecting your privacy online. They accomplish this via multiple means including:
- Credit card masking (disposable credit card #s)
- Email masking (disposable emails)
- Cell phone masking (sms/voice capable)
- Password management
This suite is delivered via a web application (https://dnt.abine.com) and a pair of browser extensions / mobile apps (iOS, Android).
This vulnerability was discovered in CVE-2018-7214 , but 2019-6481 was opened due to a regression of version 7 of the codebase.
Please upgrade your plugin to version 8.0.2478 . Major browsers should handle this automatically.
The Password Manager Extension in Abine Blur 7.8.243* allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data, because the right-click context menu is not secured. NOTE: this vulnerability exists because of a CVE-2018-7213 regression.
Abine Blur 7.8.243* failed to secure the right-click context menu, allowing an attacker with either physical access or remote-desktop access to disclose passwords, emails, and usernames of the victim without triggering a second-factor request.
- Navigate to any page with a login form, click on the username field, and have the Blur auto-filler form appear a. This action will reveal if the user has any TouchID protected accounts on this domain. (NOTE: At time of writing, Blur does not have the capability to detect different subdomains, and will show all acounts on that domain) Selecting the protected account would trigger a push notification asking for TouchID auth on the mobile device.
- Instead of selecting the account from this menu, right click while selecting the form field, navigate down to the Blur sub-menu, and then accounts a. Each user account will be grouped via email (or username if no email provided) and displayed here
- Repeat step 2 for each field on the form that requires user login data (username, email, password, etc) a. The Right-Click menu does NOT trigger a 2FA request to the mobile device, allowing an attacker to log into a sensitive service without the user knowing.
An additional vulnerability was discovered causing a MacOS disk encryption from the console as well. This was not disclosed.
This attack would allow a remote or local user to access, and potentially edit or modify user data while bypassing the 2FA system designed to alert and require a second form of authentication from users. It could also allow the bypass the macOS disk encryption software used to protect the Blur data.
Timeline of Events
- 2019-01-13: Discovery of Vulnerability
- 2019-01-14: Vendor Contacted & Response, Requests time to fix
- 2019-01-14: MITRE Contacted for CVE
- 2019-01-16: MITRE Confirms & Issues CVE (CVE-2019-6481)
- 2019-02-11: Vendor Contacted with request for update
- 2019-02-14: Vendor Response, reports fix is in processing/review with browser stores, 2wks needed
- 2019-03-14: Vendor Issues 8.0.2478 for Chrome
- 2019-03-18: Vendor starts Mozilla / Opera approval process, OK’s Public Disclosure.
Thanks to Andrew @ Abine for assisting and cooridinating with me on this CVE entry. Thanks to Jay Gala for teaching me about Responsible Disclosure @ the GMU Precollege Cyber Security Program