Not all they’re cracked up to be? Several password
vaults contain vulnerabilities, both new and previously disclosed but never
patched, a study says
Several
popular password managers contain security vulnerabilities that could be exploited
to breach the walls that are supposed to keep your passwords safe, according
to researchers from the University of
York.
After
considering a pool of 19 password managers, the academics chose to test
LastPass, Dashlane, Keeper, 1Password, and RoboForm based on their popularity
and features. They uncovered a total of four new vulnerabilities, including a
flaw both in the 1Password and LastPass Android applications that made them
susceptible to phishing attacks. The vulnerability is caused by their use of
weak matching criteria for identifying which of the stored credentials should
be suggested for autofill.
“Our study
shows that a phishing attack from a malicious app is highly feasible – if a
victim is tricked into installing a malicious app it will be able to present
itself as a legitimate option on the autofill prompt and have a high chance of
success,” said Dr. Siamak Shahandashti from the Department
of Computer Science at the University of York. He went on to add that, in order
to remedy the situation, the password vaults should add stricter matching
criteria that aren’t based just on “an app’s purported package name”.
The
researchers also discovered that the Android applications of both RoboForm and
Dashlane are susceptible to PIN brute force attacks. This flaw allows endless
attempts at entering the master PIN that may ultimately unlock the password
vaults.
“Through
extrapolation of manual testing, it is estimated that even a manual random
guessing attack is on average expected to find a randomly selected PIN in 2.5
hours,” the researchers explained, adding that factoring in additional
variables can significantly reduce the time it takes to break the PIN.
The tools’
respective vendors were duly notified about the newly discovered
vulnerabilities. “Some were fixed immediately while others were deemed low
priority,” said Michael Carr, the lead author of the study.
In addition,
the password managers also underwent rigorous testing against six previously
disclosed vulnerabilities to see if the security holes had been plugged. The
test showed that all except one of the password managers were susceptible to
URL mismatch, and all of them were vulnerable to Ignoring Subdomains and
HTTP(S) Autofill exploits. Dashlane fared the worst, as it was vulnerable to
five out of the six vulnerabilities disclosed earlier.
Although the
team admitted that “rigorous security models and canonical security tests for
password managers” are needed, they still recommend their use to businesses and
individuals alike, as they continue to be a more secure and useable option
than resorting to password recycling or trying to memorize
them all.
Food for
thought, since people continue to make questionable choices when choosing
passwords to protect their data, as can be evidenced by the fact that “12345”
and similarly easy-to-hack passwords remain popular choices for many netizens.