Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:20 AM
Connect Directly

Hacking Password Managers

Researchers find four classes of common vulnerabilities in popular password managers and recommend greater industry scrutiny and more automated ways to find vulnerabilities.

A group of researchers next month will present their finding a grab-bag of vulnerabilities in Web-based password managers, which they believe to be a wakeup call for the major password manager companies. The technical details are slated to be fully aired out at the Usenix conference in San Diego in late August, but conclusions from the research were released via a peer-reviewed paper made public last week.

The team, led by Zhiwei Li of the University of California at Berkeley, outlines four major classes of vulnerabilities they discovered, along with representative case-study vulnerabilities to illustrate each. The four classes of vulnerabilities found by the team are bookmarklet vulnerabilities, web vulnerabilities, authorization vulnerabilities, and user interface vulnerabilities:

Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure.

The five major password managers tested are LastPass, RoboForm, My1login, PasswordBox, and NeedMyPassword. All of the vulnerabilities detailed in the research were responsibly disclosed and have already been fixed by the vendors named in the paper. Among the most dramatic of the vulnerabilities found in these managers were flaws in the features in LastPass, RoboForm, and My1login that offer access  to credentials and auto-fill using JavaScript bookmarklet code.

"We found critical vulnerabilities in all three bookmarklets we studied," the researchers report. "If a user clicks on the bookmarklet on an attacker’s site, the attacker, in all three cases, learns credentials for arbitrary websites."

Only the bookmarklet flaw in LastPass was described at length, with the researchers showing how a malicious web application specifically targeting this feature could get the password manager to give away credentials to other sites. In its post on the topic, LastPass noted the risk of this now-fixed vulnerability to users is low, as bookmarklets are used by less than 1 percent of its user base. Meanwhile, the firm also fixed a flaw detailed in the report that allowed researchers to attack its one-time password (OTP) functionality. The researchers were able to use a cross-site request forgery (CSRF) attack to find out all the web applications a user has credentials stored for, to steal the user's LastPass encrypted password database, and to delete credentials in that database, even if the attacker can't unencrypt these credentials.

"Regarding the OTP attack, it is a 'targeted attack,' requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen," LastPass stated. "Even if this was exploited, the attacker would still not have the key to decrypt user data."

According to the report, the vulnerabilities the team found should prod password manager developers to do a better job with defense-in-depth and to improve their underlying development processes:

Our work is a wake-up call for developers of web-based password managers. The wide spectrum of discovered vulnerabilities, however, makes a single solution unlikely. Instead, we believe developing a secure web-based password manager entails a systematic, defense-in-depth approach... Future work includes creating tools to automatically identify such vulnerabilities and developing a principled, secure-by-construction password manager.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 9:22:31 AM
Re: trusting a password manager?
I just worry about the pw manager service getting 0wned. I like keeping control, even if it's a pain in the neck.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/15/2014 | 9:14:53 AM
Re: trusting a password manager?
I tried a password manager once and then immediately forgo the password. #Dumbmistake
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/14/2014 | 6:14:13 PM
trusting a password manager?
I've wanted to go with a password manager for a while now, but I am still not comfortable with the concept. Developments like this make me kind of glad I've held back. 

I'd love to hear what other folks think about the risks of a password manager. 
<<   <   Page 2 / 2
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.