Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/14/2014
11:20 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hacking Password Managers

Researchers find four classes of common vulnerabilities in popular password managers and recommend greater industry scrutiny and more automated ways to find vulnerabilities.

A group of researchers next month will present their finding a grab-bag of vulnerabilities in Web-based password managers, which they believe to be a wakeup call for the major password manager companies. The technical details are slated to be fully aired out at the Usenix conference in San Diego in late August, but conclusions from the research were released via a peer-reviewed paper made public last week.

The team, led by Zhiwei Li of the University of California at Berkeley, outlines four major classes of vulnerabilities they discovered, along with representative case-study vulnerabilities to illustrate each. The four classes of vulnerabilities found by the team are bookmarklet vulnerabilities, web vulnerabilities, authorization vulnerabilities, and user interface vulnerabilities:

Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure.

The five major password managers tested are LastPass, RoboForm, My1login, PasswordBox, and NeedMyPassword. All of the vulnerabilities detailed in the research were responsibly disclosed and have already been fixed by the vendors named in the paper. Among the most dramatic of the vulnerabilities found in these managers were flaws in the features in LastPass, RoboForm, and My1login that offer access  to credentials and auto-fill using JavaScript bookmarklet code.

"We found critical vulnerabilities in all three bookmarklets we studied," the researchers report. "If a user clicks on the bookmarklet on an attacker’s site, the attacker, in all three cases, learns credentials for arbitrary websites."

Only the bookmarklet flaw in LastPass was described at length, with the researchers showing how a malicious web application specifically targeting this feature could get the password manager to give away credentials to other sites. In its post on the topic, LastPass noted the risk of this now-fixed vulnerability to users is low, as bookmarklets are used by less than 1 percent of its user base. Meanwhile, the firm also fixed a flaw detailed in the report that allowed researchers to attack its one-time password (OTP) functionality. The researchers were able to use a cross-site request forgery (CSRF) attack to find out all the web applications a user has credentials stored for, to steal the user's LastPass encrypted password database, and to delete credentials in that database, even if the attacker can't unencrypt these credentials.

"Regarding the OTP attack, it is a 'targeted attack,' requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen," LastPass stated. "Even if this was exploited, the attacker would still not have the key to decrypt user data."

According to the report, the vulnerabilities the team found should prod password manager developers to do a better job with defense-in-depth and to improve their underlying development processes:

Our work is a wake-up call for developers of web-based password managers. The wide spectrum of discovered vulnerabilities, however, makes a single solution unlikely. Instead, we believe developing a secure web-based password manager entails a systematic, defense-in-depth approach... Future work includes creating tools to automatically identify such vulnerabilities and developing a principled, secure-by-construction password manager.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/14/2014 | 6:14:13 PM
trusting a password manager?
I've wanted to go with a password manager for a while now, but I am still not comfortable with the concept. Developments like this make me kind of glad I've held back. 

I'd love to hear what other folks think about the risks of a password manager. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/15/2014 | 9:14:53 AM
Re: trusting a password manager?
I tried a password manager once and then immediately forgo the password. #Dumbmistake
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 9:22:31 AM
Re: trusting a password manager?
I just worry about the pw manager service getting 0wned. I like keeping control, even if it's a pain in the neck.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/15/2014 | 9:41:10 AM
Re: trusting a password manager?
@Kelly  I feel the same way. I'd rather use my own brain. And for stuff that I don't use often that I feel like my husband might need to know, I stick it on my fridge. If someone breaks into my apartment, I'll have bigger problems. Well, at least, more problems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 9:49:08 AM
All the same
We have to assume that the apps that store or generate passwords have the same vulnerabilities as other regular applications. I do not use any apps for passwords, however it is getting overloaded I can tell, defining a different password per site, that is too much. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 9:51:38 AM
Re: trusting a password manager?
Agree. Maybe that or, find a way to remember the password per site easily. Such as remembering logo of the site and defining password that we can related to it. I just gave away my way of defining password :--))
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 9:52:47 AM
Re: trusting a password manager?
Ha! I hear ya. I have my secret cryptic cheat-sheet. It's lame, but it makes me feel somewhat in control. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 9:54:13 AM
Re: trusting a password manager?
That is the problem Marilyn. You still need to keep a password in mind. We should just revamp this username/password and defining new ways of protecting ourselves. I do not know what it would be but I know username/password pair is not really working when ii comes to security or privacy.
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
7/15/2014 | 9:58:38 AM
Re: trusting a password manager?
I am a bit nervous about using Roboform and Lastpass, but I find them to be essential.  I think I am less vulnerable by using a PW manager than I am using the same password for every website I use. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 10:01:39 AM
Re: trusting a password manager?
I have probably 100 different complex passwords, so remembering all of them is impossible. A pw manager is certainly tempting, but something keeps stopping me from putting my eggs in that basket. #paranoidsecurityjourno
Page 1 / 2   >   >>
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17789
PUBLISHED: 2019-09-20
Prospecta Master Data Online (MDO) allows CSRF.
CVE-2019-11280
PUBLISHED: 2019-09-20
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain ...
CVE-2019-11326
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product is protected by a login. A guest is allowed to login. Once logged in as a guest, an attacker can browse a URL to read the password of the administrative user. The same pro...
CVE-2019-11327
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system.
CVE-2019-14814
PUBLISHED: 2019-09-20
There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.