Password manager flaws can expose data on compromised devices, report says

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Flaws in top password managers can expose the very data they are supposed to protect, a study by researchers at Independent Security Evaluators (ISE) researchers found.

“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” ISE CEO Stephen Bono said in a release announcing the findings of “Under the Hood of Secrets Management. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”

Assessing the underlying functionality of 1Password, Dashlane, KeePass and LastPass on Windows 10, researchers discovered that in some cases, the master password could be found in plaintext in the computer’s memory when the password manager was locked and that they could extract the master password using standard memory forensics.

“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” ISE Lead Researcher, Adrian Bednare said, noting that once hackers get their hands on the master password, “it’s game over.”

Sandor Palfy, LastPassCTO, said in a statement sent to SC Media that the “particular vulnerability, in LastPass for Applications, the company’s “legacy, local Windows Application (which accounts for less than .2 percent of all LastPass usage) was brought to our attention by researchers through our Bug Bounty Program.”

He explained that to be able to “read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer.” The company has“already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report,” said Palfy. “To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind.”

He said there’s no indication that sensitive LastPass user data was compromised. “As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible,” said Palfy.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top