Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/14/2014
11:20 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hacking Password Managers

Researchers find four classes of common vulnerabilities in popular password managers and recommend greater industry scrutiny and more automated ways to find vulnerabilities.

A group of researchers next month will present their finding a grab-bag of vulnerabilities in Web-based password managers, which they believe to be a wakeup call for the major password manager companies. The technical details are slated to be fully aired out at the Usenix conference in San Diego in late August, but conclusions from the research were released via a peer-reviewed paper made public last week.

The team, led by Zhiwei Li of the University of California at Berkeley, outlines four major classes of vulnerabilities they discovered, along with representative case-study vulnerabilities to illustrate each. The four classes of vulnerabilities found by the team are bookmarklet vulnerabilities, web vulnerabilities, authorization vulnerabilities, and user interface vulnerabilities:

Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure.

The five major password managers tested are LastPass, RoboForm, My1login, PasswordBox, and NeedMyPassword. All of the vulnerabilities detailed in the research were responsibly disclosed and have already been fixed by the vendors named in the paper. Among the most dramatic of the vulnerabilities found in these managers were flaws in the features in LastPass, RoboForm, and My1login that offer access  to credentials and auto-fill using JavaScript bookmarklet code.

"We found critical vulnerabilities in all three bookmarklets we studied," the researchers report. "If a user clicks on the bookmarklet on an attacker’s site, the attacker, in all three cases, learns credentials for arbitrary websites."

Only the bookmarklet flaw in LastPass was described at length, with the researchers showing how a malicious web application specifically targeting this feature could get the password manager to give away credentials to other sites. In its post on the topic, LastPass noted the risk of this now-fixed vulnerability to users is low, as bookmarklets are used by less than 1 percent of its user base. Meanwhile, the firm also fixed a flaw detailed in the report that allowed researchers to attack its one-time password (OTP) functionality. The researchers were able to use a cross-site request forgery (CSRF) attack to find out all the web applications a user has credentials stored for, to steal the user's LastPass encrypted password database, and to delete credentials in that database, even if the attacker can't unencrypt these credentials.

"Regarding the OTP attack, it is a 'targeted attack,' requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen," LastPass stated. "Even if this was exploited, the attacker would still not have the key to decrypt user data."

According to the report, the vulnerabilities the team found should prod password manager developers to do a better job with defense-in-depth and to improve their underlying development processes:

Our work is a wake-up call for developers of web-based password managers. The wide spectrum of discovered vulnerabilities, however, makes a single solution unlikely. Instead, we believe developing a secure web-based password manager entails a systematic, defense-in-depth approach... Future work includes creating tools to automatically identify such vulnerabilities and developing a principled, secure-by-construction password manager.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/14/2014 | 6:14:13 PM
trusting a password manager?
I've wanted to go with a password manager for a while now, but I am still not comfortable with the concept. Developments like this make me kind of glad I've held back. 

I'd love to hear what other folks think about the risks of a password manager. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/15/2014 | 9:14:53 AM
Re: trusting a password manager?
I tried a password manager once and then immediately forgo the password. #Dumbmistake
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 9:22:31 AM
Re: trusting a password manager?
I just worry about the pw manager service getting 0wned. I like keeping control, even if it's a pain in the neck.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/15/2014 | 9:41:10 AM
Re: trusting a password manager?
@Kelly  I feel the same way. I'd rather use my own brain. And for stuff that I don't use often that I feel like my husband might need to know, I stick it on my fridge. If someone breaks into my apartment, I'll have bigger problems. Well, at least, more problems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 9:49:08 AM
All the same
We have to assume that the apps that store or generate passwords have the same vulnerabilities as other regular applications. I do not use any apps for passwords, however it is getting overloaded I can tell, defining a different password per site, that is too much. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 9:51:38 AM
Re: trusting a password manager?
Agree. Maybe that or, find a way to remember the password per site easily. Such as remembering logo of the site and defining password that we can related to it. I just gave away my way of defining password :--))
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 9:52:47 AM
Re: trusting a password manager?
Ha! I hear ya. I have my secret cryptic cheat-sheet. It's lame, but it makes me feel somewhat in control. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 9:54:13 AM
Re: trusting a password manager?
That is the problem Marilyn. You still need to keep a password in mind. We should just revamp this username/password and defining new ways of protecting ourselves. I do not know what it would be but I know username/password pair is not really working when ii comes to security or privacy.
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
7/15/2014 | 9:58:38 AM
Re: trusting a password manager?
I am a bit nervous about using Roboform and Lastpass, but I find them to be essential.  I think I am less vulnerable by using a PW manager than I am using the same password for every website I use. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 10:01:39 AM
Re: trusting a password manager?
I have probably 100 different complex passwords, so remembering all of them is impossible. A pw manager is certainly tempting, but something keeps stopping me from putting my eggs in that basket. #paranoidsecurityjourno
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.