Collin Jackson : 2009 Security Workshop


Thursday, April 16, 2009
Location: Fisher Conference Center, Arrillaga Alumni Center

"Extracting Passwords from JavaScript Password Managers"


A number of commercial cloud-based password managers inject JavaScript into web pages to automatically populate and submit login forms. These password managers rely on the correct execution of their JavaScript to protect the user's passwords, but because their JavaScript runs in a potentially untrusted security context, an attacker's web site can steal the user's passwords by replacing native JavaScript objects with malicious replicas. In this talk, I'll describe general techniques for altering the semantics of native JavaScript objects, apply these techniques to extracting passwords from six commercial password managers, and propose an alternative password manager design.

Joint work with Adam Barth and Ben Adida.


Collin Jackson is a computer science Ph.D. candidate at Stanford University, specializing in browser and web application security. While at Stanford, Collin worked with Google on the security of the Chrome browser. He has also consulted for Yahoo!, Microsoft, the U.S. Department of Homeland Security, Silicon Valley start-up Cooliris, and the Center for Democracy and Technology. Collin holds a Bachelor of Science degree from Yale University.