Abine Blur Password Manager Insecure Permissions Module: Blur Web Extension Announced: 2018-03-10/16 Credits: RS Tyler Schroder Affects: 7.8.242* BEFORE 7.8.2428 CVE ID: CVE-2018-7213 I. Background Abine Blur is a password management suite combined with online anonymity tools designed to help consumers remain anonymous in the digital era. https://abine.com II. Problem Description The Password Manager Extension in Abine Blur 7.8.242* before 7.8.2428 allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data, because the right-click context menu is not secured. II.I Technical Abine Blur 7.8.242* failed to secure the right-click context menu, allowing an attacker with either physical access or remote-desktop access to disclose passwords, emails, and usernames of the victim without triggering a second-factor request. III. Impact Access to secured data can lead to secure information exfiltration, a 2FA bypass, and a further undisclosed MacOS(x) disk encryption console bypass (to access secured Abine Blur data). IV. Workaround No workaround, as the vendor has issued a patch. V. Solution Update your browser plug-in per your browser vendor's instructions. Firefox 5x.xx and Chrome 63.x are known to automatically update to the latest version. VI. Timeline of Events * 2018-02-13: Discovery of Vulnerability * 2018-02-13: Vendor Contacted * 2018-02-14: CERT/CC activated for vendor PGP coordination * 2018-02-14: Vendor responds (PGP) * 2018-02-15: CERT/CC [VU#714299] unable to assist further * 2018-02-16: MITRE Contacted for CVE * 2018-02-17: MITRE Confirms & Issues CVE (CVE-2018-7213) * 2018-02-28: Patch Issued * 2018-03-10: Public Disclosure. Further Details: https://redcoded.com/2018/CVE/ | https://addons.mozilla.org/en-US/firefox/addon/donottrackplus/versions/?page =1#version-7.8.2428 -----BEGIN PGP MESSAGE----- Version: GnuPG v2 owF9VXtwE0UYb9EixJbXiPXBY6EKFJqEhNLSgFNKH0yU0tKWgjBFL3ebZCd3t/Fu jzSoA86oPHVA6SBiHaDKWCgwQp3CH4Igan2gKIpAh+koIkJFRS2vGajf3iWh0Rn/ aLp7+z1+3+/77bdrM+5I6Ze69CH3c5saR2Slfn7Rl7KgpSS/yEdUjGbIhoYqBV2P UE1C5YIqBLCGvKqORUPDqBJrCtF1QlU9w1ZOJUPGHstnHvah0nqGVX6YYStSVWqo IpY8yD3RNcU+cZLdNdHpysuwFWtYIkz3oKpqVBOVIXq1GNSohDXw8vuxyM/yHVMc 7lz3eDSjtKyiqjS+nwLutaXIW+JB8N9uRs53uyZl2DJsXgeaIYihgAZ5JQh1uxyi IwGF4zUpZk0KVhnSDcIwEqnCbSUUISyIqCpzR0GlalQhLIoYpbKOJKyTADdiFAWx HAYvVTcUrOlIw4pA1JgHNXQEGxbESCIBwgQZYU1woCBjYd3jdAo8lQNSmpABc6VG fTJWUAnWRY2Emclehq0GAvynDQl+eYpeBSbY8mE/hS7F2UKCLNMIVM8YMMOxAnpf lFNhIiw3ZEbsZYLIqIaKDPikMiIKHAOUw6kSK6qhDj1kx6qoRU10KKxRBl3iSwWL QUEluqLnmA6cFPyUAWHkKML1fiIzTQCKLfVISBKYkAMoRcHQsQlBI4Egs4syEUPc m+F6BlFVgzdNpSzu6YjR5UU1kFIFkHJSixMM+AUiW12KKfb/kuRYBBE1AOgTLFk6 wPAD63AwqvNsSBBFDLQBUdBvIMAOiggxGo4fQEYgSpQpFBbXGrDCtSHH2IGaNVVQ METxm7gWE6BRMfNRgyEGOKHNJhwOn6qS3W81R+Os6ixGA8jGq4ThBDhIZO/NMRKh HhkLvYkgKmhDsZqbaA1sctAFAbnLimLCsKAKyG9oJgFwmWJlcR2CHsbVZ5uSQL0k wftOZRzX1jjIGqMljqpXrzjAbKuSWgeaR7WQELuzsymKJLYAxFLpYqxKQEEQtjB6 DCyZt5mJQTMGhKimsmHdm7lhicstSiGNTwPp8w7KRsAO9yUM66QDK+6PyzbyG6sz zTA1rTtQGdHgHtWjyfWO+nqTjmIYUApGeZMcsAcuQyqNqJxbwWCUcwoKAcUbVnr4 znHLsNYZpNH4lbXAQudqiILNEQMiKAUMDCbp+NiQdNtdkzyoBAin4BblJrWGrMIE 8REZhtG/LWstaopB06AGLCWd58KQLK2qcRYXQzMYWQxwJAQaiBNaObMSGgcyJR+c UQWLwGT3WHgN62HQIvQVXLKTjCbfzrGwdm5WvivXXVBQB6IRYKiZBMFjASTE1JTk m+dB5d4aGO4J+CY6GOxJZvm9zPxEU3Q0Bnm5DnRuisYlPQRJ6NxTPDBDQSiWfS92 +GMEZ4YPRoJJN+gbZGr2qCwm/BLM+NX1JEY3yFiEZ0ri09vJ4zghtRM9c3u2SxLX j0KXEFkWHFQLOLFqn1vt9FuCsgyc8EcZXD4xBNLUnTF96M7CMAz5R1xZsQ/2xBRf 2WfYnSmp/VL6pvXhD3WKrf+g+Ou9afnAnrIPv5ra6Cn/YV/NV5+uvXr0rtrpo1/v OXXP8ZY7Gypevuedu8vI0oMFLWt29H2wdsSlwQUteemP/TI8u7lLOX9KPTZsZ+He ZwYXVpxDD3x9tujKtd9OdDRvK/xj1jrj9JBlke2+w+Stc1tw64a6oZ4b7RNdrpYO saJ/Xl1e2V8lRZsPbW1bwibIox9u2eJc/VHzqcvHFmXdONm09t2bWzI6X5q/OW1h WtfkPd+9oW/OHDl8yb4/v1nTPfv9002+P7PIidVH5t+1e1r3lf0fjm0/Upn593vp HRddkU8avn7ls8ync3xKnrDUGPUTcU9NGbXoUu6J1Z030y7Yv1//+xPpK9t8ubsH 9Ez4bdT0pn3+XZEjP4+adfnHV7/c+W3nuXVzjt0vCU2f958rDsqd19btNaZfb390 zth+uzrbVi6ac2BgyJZZPHLB6YX5DelXWnM3jOnTcejM9av3nfrmiQk7om//lHk4 NLRVOfpxuz5be/z3ATMG3lu46/Urzz7fGNn33tHrX2z7dEHzwe6GkU/2GdrV7+8H JPsecVbPyYKqP4pbX3DPXtFynO5u/Ln97JBxA8hCdljsnlm7qq4h+NqtIbjnJW/K 5j0j1s1M3dTy5aDsFxvPTu12HEiVm9ann/hs/5E6efibYe/WAeHzn4y+EPn1+IUu 17IFtzZOY9v9l/aPvu/W0L7Gira911rdL47fuJwtOvz91h8eXnV5WGO475PT/gE= =nyj5 -----END PGP MESSAGE-----
Attachment:
smime.p7s
Description: S/MIME cryptographic signature