Password managers hacked: Researchers find ‘critical’ vulnerabilities
University of California Berkeley researchers have discovered a number of quickly-patched vulnerabilities in LastPass, My1Login, NeedMyPassword, PasswordBox and RoboForm. They described their work as a “wake-up call” for password manager developers.
“Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” wrote researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in their paper. “We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords.
The researchers noted that the root causes of the vulnerabilities are also diverse – these range from authorization and logic mistakes to misunderstandings about web security models, and more typical vulnerabilities like XSS (Cross site scripting) and CSRF (cross site request forgery).
In LastPass, the researchers discovered a vulnerability in the bookmarklet option that permits integration with iOS’s Safari browser. The flaw works if users are tricked into running Java on the attacker’s website. An example of this might see an attacker setting up a fake banking website to trick those using bookmarklets to log in, giving up their password credentials.
LastPass was also affected by a CSRF bug that allows attackers to see which devices and apps are running the software. The bug also gives attackers access to a user’s entire master password-encrypted vault.
LastPass has issued a statement playing down the risk, stating that it issued a patch last September to fix these problems.
“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” said the company’s chief information officer Joe Siegrist.
“The OTP attack is a ‘targeted attack’ requiring an attacker to know the user’s username to potentially exploit it, and to serve that custom attack [for each] user [which is] activity which we have not seen,” LasPass aid. “Even if this was exploited, the attacker would still not have the key to decrypt user data.”
The researchers aren’t advising anyone to avoid using password managers. Rather, they’re warning developers and users that such software is not entirely foolproof.
“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem,” wrote the researchers, noting that secure password manager’s design requires systematic defense-in-depth.
The researchers plan to build tools that will automate vulnerability detection within password managers, and will follow this up with their own “principled, secure-by-construction” password management software.
photo credit: marsmet521 via photopin cc
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.