Flaws in top password managers can expose the very data they are supposed to protect, a study by researchers at Independent Security Evaluators (ISE) researchers found.
“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” ISE CEO Stephen Bono said in a release announcing the findings of “Under the Hood of Secrets Management. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
Assessing the underlying functionality of 1Password, Dashlane, KeePass and LastPass on Windows 10, researchers discovered that in some cases, the master password could be found in plaintext in the computer’s memory when the password manager was locked and that they could extract the master password using standard memory forensics.
“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” ISE Lead Researcher, Adrian Bednare said, noting that once hackers get their hands on the master password, “it’s game over.”
Sandor Palfy, LastPassCTO, said in a statement sent to SC Media that the “particular vulnerability, in LastPass for Applications, the company’s “legacy, local Windows Application (which accounts for less than .2 percent of all LastPass usage) was brought to our attention by researchers through our Bug Bounty Program.”
He explained that to be able to “read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer.” The company has“already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report,” said Palfy. “To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind.”
He said there’s no indication that sensitive LastPass user data was compromised. “As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible,” said Palfy.