Abine Blur Password Manager Insecure Permissions
Module: Blur Web Extension
Announced: 2018-03-10/16
Credits: RS Tyler Schroder
Affects: 7.8.242* BEFORE 7.8.2428
CVE ID: CVE-2018-7213

I. Background
Abine Blur is a password management suite combined with online anonymity
tools designed to help consumers remain anonymous in the digital era.
https://abine.com

II. Problem Description

The Password Manager Extension in Abine Blur 7.8.242* before 7.8.2428 allows
attackers to bypass the Multi-Factor Authentication and macOS
disk-encryption protection mechanisms, and consequently exfiltrate secured
data, because the right-click context menu is not secured.

II.I Technical
Abine Blur 7.8.242* failed to secure the right-click context menu, allowing
an attacker with either physical access or remote-desktop access to disclose
passwords, emails, and usernames of the victim without triggering a
second-factor request.

III. Impact
Access to secured data can lead to secure information exfiltration, a 2FA
bypass, and a further undisclosed MacOS(x) disk encryption console bypass
(to access secured Abine Blur data).

IV. Workaround
No workaround, as the vendor has issued a patch.

V. Solution
Update your browser plug-in per your browser vendor's instructions. Firefox
5x.xx and Chrome 63.x are known to automatically update to the latest
version.

VI. Timeline of Events
* 2018-02-13: Discovery of Vulnerability
* 2018-02-13: Vendor Contacted
* 2018-02-14: CERT/CC activated for vendor PGP coordination
* 2018-02-14: Vendor responds (PGP)
* 2018-02-15: CERT/CC [VU#714299] unable to assist further
* 2018-02-16: MITRE Contacted for CVE
* 2018-02-17: MITRE Confirms & Issues CVE (CVE-2018-7213)
* 2018-02-28: Patch Issued
* 2018-03-10: Public Disclosure.

Further Details: https://redcoded.com/2018/CVE/ |
https://addons.mozilla.org/en-US/firefox/addon/donottrackplus/versions/?page
=1#version-7.8.2428 

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

owF9VXtwE0UYb9EixJbXiPXBY6EKFJqEhNLSgFNKH0yU0tKWgjBFL3ebZCd3t/Fu
jzSoA86oPHVA6SBiHaDKWCgwQp3CH4Igan2gKIpAh+koIkJFRS2vGajf3iWh0Rn/
aLp7+z1+3+/77bdrM+5I6Ze69CH3c5saR2Slfn7Rl7KgpSS/yEdUjGbIhoYqBV2P
UE1C5YIqBLCGvKqORUPDqBJrCtF1QlU9w1ZOJUPGHstnHvah0nqGVX6YYStSVWqo
IpY8yD3RNcU+cZLdNdHpysuwFWtYIkz3oKpqVBOVIXq1GNSohDXw8vuxyM/yHVMc
7lz3eDSjtKyiqjS+nwLutaXIW+JB8N9uRs53uyZl2DJsXgeaIYihgAZ5JQh1uxyi
IwGF4zUpZk0KVhnSDcIwEqnCbSUUISyIqCpzR0GlalQhLIoYpbKOJKyTADdiFAWx
HAYvVTcUrOlIw4pA1JgHNXQEGxbESCIBwgQZYU1woCBjYd3jdAo8lQNSmpABc6VG
fTJWUAnWRY2Emclehq0GAvynDQl+eYpeBSbY8mE/hS7F2UKCLNMIVM8YMMOxAnpf
lFNhIiw3ZEbsZYLIqIaKDPikMiIKHAOUw6kSK6qhDj1kx6qoRU10KKxRBl3iSwWL
QUEluqLnmA6cFPyUAWHkKML1fiIzTQCKLfVISBKYkAMoRcHQsQlBI4Egs4syEUPc
m+F6BlFVgzdNpSzu6YjR5UU1kFIFkHJSixMM+AUiW12KKfb/kuRYBBE1AOgTLFk6
wPAD63AwqvNsSBBFDLQBUdBvIMAOiggxGo4fQEYgSpQpFBbXGrDCtSHH2IGaNVVQ
METxm7gWE6BRMfNRgyEGOKHNJhwOn6qS3W81R+Os6ixGA8jGq4ThBDhIZO/NMRKh
HhkLvYkgKmhDsZqbaA1sctAFAbnLimLCsKAKyG9oJgFwmWJlcR2CHsbVZ5uSQL0k
wftOZRzX1jjIGqMljqpXrzjAbKuSWgeaR7WQELuzsymKJLYAxFLpYqxKQEEQtjB6
DCyZt5mJQTMGhKimsmHdm7lhicstSiGNTwPp8w7KRsAO9yUM66QDK+6PyzbyG6sz
zTA1rTtQGdHgHtWjyfWO+nqTjmIYUApGeZMcsAcuQyqNqJxbwWCUcwoKAcUbVnr4
znHLsNYZpNH4lbXAQudqiILNEQMiKAUMDCbp+NiQdNtdkzyoBAin4BblJrWGrMIE
8REZhtG/LWstaopB06AGLCWd58KQLK2qcRYXQzMYWQxwJAQaiBNaObMSGgcyJR+c
UQWLwGT3WHgN62HQIvQVXLKTjCbfzrGwdm5WvivXXVBQB6IRYKiZBMFjASTE1JTk
m+dB5d4aGO4J+CY6GOxJZvm9zPxEU3Q0Bnm5DnRuisYlPQRJ6NxTPDBDQSiWfS92
+GMEZ4YPRoJJN+gbZGr2qCwm/BLM+NX1JEY3yFiEZ0ri09vJ4zghtRM9c3u2SxLX
j0KXEFkWHFQLOLFqn1vt9FuCsgyc8EcZXD4xBNLUnTF96M7CMAz5R1xZsQ/2xBRf
2WfYnSmp/VL6pvXhD3WKrf+g+Ou9afnAnrIPv5ra6Cn/YV/NV5+uvXr0rtrpo1/v
OXXP8ZY7Gypevuedu8vI0oMFLWt29H2wdsSlwQUteemP/TI8u7lLOX9KPTZsZ+He
ZwYXVpxDD3x9tujKtd9OdDRvK/xj1jrj9JBlke2+w+Stc1tw64a6oZ4b7RNdrpYO
saJ/Xl1e2V8lRZsPbW1bwibIox9u2eJc/VHzqcvHFmXdONm09t2bWzI6X5q/OW1h
WtfkPd+9oW/OHDl8yb4/v1nTPfv9002+P7PIidVH5t+1e1r3lf0fjm0/Upn593vp
HRddkU8avn7ls8ync3xKnrDUGPUTcU9NGbXoUu6J1Z030y7Yv1//+xPpK9t8ubsH
9Ez4bdT0pn3+XZEjP4+adfnHV7/c+W3nuXVzjt0vCU2f958rDsqd19btNaZfb390
zth+uzrbVi6ac2BgyJZZPHLB6YX5DelXWnM3jOnTcejM9av3nfrmiQk7om//lHk4
NLRVOfpxuz5be/z3ATMG3lu46/Urzz7fGNn33tHrX2z7dEHzwe6GkU/2GdrV7+8H
JPsecVbPyYKqP4pbX3DPXtFynO5u/Ln97JBxA8hCdljsnlm7qq4h+NqtIbjnJW/K
5j0j1s1M3dTy5aDsFxvPTu12HEiVm9ann/hs/5E6efibYe/WAeHzn4y+EPn1+IUu
17IFtzZOY9v9l/aPvu/W0L7Gira911rdL47fuJwtOvz91h8eXnV5WGO475PT/gE=
=nyj5
-----END PGP MESSAGE-----