Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaw in Password Managers Allowed Apps to Steal Credentials

One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users’ credentials.

One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users’ credentials.

Password managers are encrypted vaults employed to store credentials and other sensitive information, and they allow the use of strong, unique credentials for each of the applications and online services an individual uses.

Many security experts encourage the use of these password managers, although they also recommend the adoption of multi-factor authentication (MFA), to ensure that attackers can’t access a user’s account even if the credentials protecting it are compromised.

University of York researchers Michael Carr and Siamak F. Shahandashti analyzed five popular commercial password managers – LastPass, Dashlane, Keeper, 1Password, and RoboForm – and identified four previously unknown vulnerabilities, including one that could result in exposed credentials.

The most important of the discovered flaws could have allowed a malicious app to impersonate a legitimate program and trick the password manager into revealing stored credentials for the respective service, the researchers explain in a newly published whitepaper (PDF).

The issue impacts the 1Password and LastPass Android applications, both of which were found vulnerable to a phishing attack due to the use of “weak matching criteria for identifying which stored credentials to suggest for autofill.”

Thus, the researchers explain, a malicious app could impersonate a legitimate one by simply using an identical package name. The researchers built a proof-of-concept application that employs this attack on LastPass, but say that the same applies to 1Password as well.

“This app had a login screen […] that was designed to mimic that of the official Google login screen and thereby be hard to distinguish. The weak matching employed by LastPass means that when the malicious app is launched, LastPass will offer to autofill the login page with Google credentials stored in a user’s vault,” the researchers explain.

Advertisement. Scroll to continue reading.

For the attack to be successful, however, the malicious app needs to be installed on the victim’s Android device, for the victim to use the vulnerable password managers and their autofill prompts, and to have credentials for the target application stored in the encrypted vault.

Another vulnerability that the researchers discovered in the analyzed password managers — except for 1Password — was that they did not provide enough protection for the credentials copied to the clipboard. Specifically, on Windows 10, credentials could be pasted in clear text from the clipboard even if the computer was locked.

“Although the attack will not be aware as to what account this password is associated with, they can try the credentials with a precompiled list of websites for which autofill is known not to work. The suggested mitigation for this issue would be for the password managers to provide an option to clear the clipboard after a set amount of time,” the researchers note.

For increased ease-of-use, some password managers allow users to secure their vault with a 4-digit PIN, but Carr and Shahandashti found that the RoboForm and Dashlane Android applications did not have a persistent counter on the number of incorrect PIN attempts.

Thus, an attacker could attempt two PINs consecutively, then remove the app from the recent application drawer, and try two more PINs. Even if the attacker would manually introduce PINs, they would still be able to find a randomly selected PIN in 2.5 hours, on average.

“We did not fully automate this attack, but we expect an automated attack to take considerably less time to brute force the PIN,” the researchers note, adding that successful cracking of the PIN could allow the attacker to “view, modify, or delete records within the password manager’s vault.”

With all of the tested password managers providing users with browser extensions, the researchers discovered that Keeper, Dashlane and 1Password might be vulnerable to “a UI driven brute force attack when entering the master password.”

Specifically, the password managers had no security measure in place to halt the authentication process even after 10 unsuccessful login attempts, which could allow for a dictionary attack to be mounted. None of the password managers had a count to keep track of the number of incorrect attempts, but RoboForm and LastPass implement mechanisms to slow down possible brute force attacks.

The issues were discovered in 2017. The researchers contacted the vendors to responsibly disclose the discovered vulnerabilities in 2018 and say that all five vendors were responsive, although only a few disclosures resulted in a fix being rolled out, mainly because the issues were considered low-priority.

Related: Hardware-based Password Managers Store Credentials in Plaintext

Related: Overall Security of Password Managers Debatable, Cracking Firm Says

Related: Many Users Don’t Change Unsafe Passwords After Being Warned: Google

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.