Oops… Popular Password Managers Are Not As Secure As You Think

Posted on Posted in Hacker News
Just few days ago, we reported about two critical vulnerability in mobile version of the most popular password manager application from a popular Password management company RoboForm, which manages your passwords for different websites.
Now, researchers have published a detailed explanation on the security vulnerabilities discovered in five different and popular password managers, including RoboForm, that could allow cybercriminals to grab your credentials.
The serious security holes were found and reported by the University of California Berkeley researchers named: Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song. The critical vulnerabilities were discovered in the popular password managers that includes RoboForm, LastPass, My1Login, PasswordBox and NeedMyPassword.
Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” Researchers wrote in the paper (PDF) titled as The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers.

We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorisation mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF (cross site request forgery) and XSS (cross site scripting).

There is no doubt that unless we are a human supercomputer, remembering password is not an easy task and that too, if you have a different password for every different site. But luckily to make the whole process very easy, there is a growing market out there for password managers and lockers, which provides the extra layers of protection. But, where to go?
LastPass is a popular and an award-winning password manager service available on phones, tablets and desktops for all the major operating systems and browsers. LastPass bookmarklet option, that permits ad-hoc integration with the most popular iOS browser Safari, was found vulnerable if any cyber criminal tricked users into running the Java code on their malicious site.
Moreover, another critical CSRF vulnerabilities were found in LastPass and RoboForm, whereas NeedMyPassword contains both CSRF as well as XSS vulnerabilities.
The XSS vulnerabilities in NeedMyPassword could allow attackers to completely take over users’ account, while the CSRF vulnerabilities in LastPass and RoboForm could allow an attacker to update, delete, and add arbitrary credentials to a user’s credential database as well as to steal the entire master password-encrypted vault for later brute-forcing, and to erase any stored website password.
LastPass has respond to the recent disclosure and issued a statement assuring that the company had pushed out the fix in September last year that addresses the vulnerabilities affecting its Java bookmarklets and one time passwords.

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” chief information officer Joe Siegrist.

The OTP attack is a ‘targeted attack’ requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack [for each] user [which is] activity which we have not seen. “Even if this was exploited, the attacker would still not have the key to decrypt user data.

The combined work of the researchers is a wake-up call for developers of web-based password managers, so that they try to develop a more secure and principled Password manager for their users.

Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem,” wrote the researchers, adding that “we believe developing a secure web-based password manager entails a systematic, defense-in-depth approach.

Quelle: thehackernews

Facebooktwittergoogle_plus

Leave a Reply