One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users’ credentials.
Password managers are encrypted vaults employed to store credentials and other sensitive information, and they allow the use of strong, unique credentials for each of the applications and online services an individual uses.
Many security experts encourage the use of these password managers, although they also recommend the adoption of multi-factor authentication (MFA), to ensure that attackers can’t access a user’s account even if the credentials protecting it are compromised.
University of York researchers Michael Carr and Siamak F. Shahandashti analyzed five popular commercial password managers – LastPass, Dashlane, Keeper, 1Password, and RoboForm – and identified four previously unknown vulnerabilities, including one that could result in exposed credentials.
The most important of the discovered flaws could have allowed a malicious app to impersonate a legitimate program and trick the password manager into revealing stored credentials for the respective service, the researchers explain in a newly published whitepaper (PDF).
The issue impacts the 1Password and LastPass Android applications, both of which were found vulnerable to a phishing attack due to the use of “weak matching criteria for identifying which stored credentials to suggest for autofill.”
Thus, the researchers explain, a malicious app could impersonate a legitimate one by simply using an identical package name. The researchers built a proof-of-concept application that employs this attack on LastPass, but say that the same applies to 1Password as well.
“This app had a login screen […] that was designed to mimic that of the official Google login screen and thereby be hard to distinguish. The weak matching employed by LastPass means that when the malicious app is launched, LastPass will offer to autofill the login page with Google credentials stored in a user’s vault,” the researchers explain.
For the attack to be successful, however, the malicious app needs to be installed on the victim’s Android device, for the victim to use the vulnerable password managers and their autofill prompts, and to have credentials for the target application stored in the encrypted vault.
Another vulnerability that the researchers discovered in the analyzed password managers — except for 1Password — was that they did not provide enough protection for the credentials copied to the clipboard. Specifically, on Windows 10, credentials could be pasted in clear text from the clipboard even if the computer was locked.
“Although the attack will not be aware as to what account this password is associated with, they can try the credentials with a precompiled list of websites for which autofill is known not to work. The suggested mitigation for this issue would be for the password managers to provide an option to clear the clipboard after a set amount of time,” the researchers note.
For increased ease-of-use, some password managers allow users to secure their vault with a 4-digit PIN, but Carr and Shahandashti found that the RoboForm and Dashlane Android applications did not have a persistent counter on the number of incorrect PIN attempts.
Thus, an attacker could attempt two PINs consecutively, then remove the app from the recent application drawer, and try two more PINs. Even if the attacker would manually introduce PINs, they would still be able to find a randomly selected PIN in 2.5 hours, on average.
“We did not fully automate this attack, but we expect an automated attack to take considerably less time to brute force the PIN,” the researchers note, adding that successful cracking of the PIN could allow the attacker to “view, modify, or delete records within the password manager’s vault.”
With all of the tested password managers providing users with browser extensions, the researchers discovered that Keeper, Dashlane and 1Password might be vulnerable to “a UI driven brute force attack when entering the master password.”
Specifically, the password managers had no security measure in place to halt the authentication process even after 10 unsuccessful login attempts, which could allow for a dictionary attack to be mounted. None of the password managers had a count to keep track of the number of incorrect attempts, but RoboForm and LastPass implement mechanisms to slow down possible brute force attacks.
The issues were discovered in 2017. The researchers contacted the vendors to responsibly disclose the discovered vulnerabilities in 2018 and say that all five vendors were responsive, although only a few disclosures resulted in a fix being rolled out, mainly because the issues were considered low-priority.
Related: Hardware-based Password Managers Store Credentials in Plaintext
Related: Overall Security of Password Managers Debatable, Cracking Firm Says
Related: Many Users Don’t Change Unsafe Passwords After Being Warned: Google