Security Experts:

Connect with us

Hi, what are you looking for?



Flaw in Password Managers Allowed Apps to Steal Credentials

One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users’ credentials.

One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users’ credentials.

Password managers are encrypted vaults employed to store credentials and other sensitive information, and they allow the use of strong, unique credentials for each of the applications and online services an individual uses.

Many security experts encourage the use of these password managers, although they also recommend the adoption of multi-factor authentication (MFA), to ensure that attackers can’t access a user’s account even if the credentials protecting it are compromised.

University of York researchers Michael Carr and Siamak F. Shahandashti analyzed five popular commercial password managers – LastPass, Dashlane, Keeper, 1Password, and RoboForm – and identified four previously unknown vulnerabilities, including one that could result in exposed credentials.

The most important of the discovered flaws could have allowed a malicious app to impersonate a legitimate program and trick the password manager into revealing stored credentials for the respective service, the researchers explain in a newly published whitepaper (PDF).

The issue impacts the 1Password and LastPass Android applications, both of which were found vulnerable to a phishing attack due to the use of “weak matching criteria for identifying which stored credentials to suggest for autofill.”

Thus, the researchers explain, a malicious app could impersonate a legitimate one by simply using an identical package name. The researchers built a proof-of-concept application that employs this attack on LastPass, but say that the same applies to 1Password as well.

“This app had a login screen […] that was designed to mimic that of the official Google login screen and thereby be hard to distinguish. The weak matching employed by LastPass means that when the malicious app is launched, LastPass will offer to autofill the login page with Google credentials stored in a user’s vault,” the researchers explain.

For the attack to be successful, however, the malicious app needs to be installed on the victim’s Android device, for the victim to use the vulnerable password managers and their autofill prompts, and to have credentials for the target application stored in the encrypted vault.

Another vulnerability that the researchers discovered in the analyzed password managers — except for 1Password — was that they did not provide enough protection for the credentials copied to the clipboard. Specifically, on Windows 10, credentials could be pasted in clear text from the clipboard even if the computer was locked.

“Although the attack will not be aware as to what account this password is associated with, they can try the credentials with a precompiled list of websites for which autofill is known not to work. The suggested mitigation for this issue would be for the password managers to provide an option to clear the clipboard after a set amount of time,” the researchers note.

For increased ease-of-use, some password managers allow users to secure their vault with a 4-digit PIN, but Carr and Shahandashti found that the RoboForm and Dashlane Android applications did not have a persistent counter on the number of incorrect PIN attempts.

Thus, an attacker could attempt two PINs consecutively, then remove the app from the recent application drawer, and try two more PINs. Even if the attacker would manually introduce PINs, they would still be able to find a randomly selected PIN in 2.5 hours, on average.

“We did not fully automate this attack, but we expect an automated attack to take considerably less time to brute force the PIN,” the researchers note, adding that successful cracking of the PIN could allow the attacker to “view, modify, or delete records within the password manager’s vault.”

With all of the tested password managers providing users with browser extensions, the researchers discovered that Keeper, Dashlane and 1Password might be vulnerable to “a UI driven brute force attack when entering the master password.”

Specifically, the password managers had no security measure in place to halt the authentication process even after 10 unsuccessful login attempts, which could allow for a dictionary attack to be mounted. None of the password managers had a count to keep track of the number of incorrect attempts, but RoboForm and LastPass implement mechanisms to slow down possible brute force attacks.

The issues were discovered in 2017. The researchers contacted the vendors to responsibly disclose the discovered vulnerabilities in 2018 and say that all five vendors were responsive, although only a few disclosures resulted in a fix being rolled out, mainly because the issues were considered low-priority.

Related: Hardware-based Password Managers Store Credentials in Plaintext

Related: Overall Security of Password Managers Debatable, Cracking Firm Says

Related: Many Users Don’t Change Unsafe Passwords After Being Warned: Google

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet