Researchers Warn Of Flaws In Popular Password Managers

Researchers from the University of California, Berkeley have published a paper describing security holes in five, web-based password managers including LastPass, My1login and Roboform.

Researchers at UC Berkeley say web-based password managers like LastPass were found to be vulnerable to common web based attacks, possibly exposing stored passwords.
Researchers at UC Berkeley say web-based password managers like LastPass were found to be vulnerable to common web based attacks, possibly exposing stored passwords.

According to the paper  (PDF), four out of the five password managers inadvertently leaked a user’s credentials for stored web sites due to all-too-common web based security flaws like Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS).

The researchers, Zhiwei Li, Warren He, Devdatta Akwawe and Dawn Song, all of the University of California Berkeley, said that they disclosed the holes in August of last year and that all of the affected firms and that all but one – NeedMyPassword – have since patched the vulnerabilities.

All the password managers tested were found to contain one of a short list of security problems. Either they were vulnerable to classic web-based holes (like XSS), or they were found to be susceptible to user interface-focused attacks, like phishing. The authentication feature that users signed on to the tools was found to be vulnerable, or Javascript-based vulnerabilities often linked to so-called “bookmarklet” features could be compromised.

Specifically: the researchers found that a remote attacker who could control one or more web servers and DNS domains, and then get a user of the password manager to visit one of those domains could easily hijack a user’s session with the password manager browser plug-in, extracting credentials from managed sites and decrypting them.

Similarly, such an attacker could use a phishing attack to harvest credentials when a user is prompted to log into her master account. Applications like LastPass and Roboform allow their users to authenticate within the active tab, making such an attack feasible.

 

The researchers said a similar attack could also defeat LastPass’s One Time Password (OTP) login option.

In a blog post response, published on Friday, LastPass said that it didn’t have any evidence that the researchers methods were exploited by anyone else. The company said it has since patched the issues reported.

LastPass customers who used bookmarklets before September 2013 on non-trustworthy sites might want to change their master password and generating new passwords for managed accounts, the company said.

Read more about the research here: The LastPass Blog: A Note from LastPass.

Comments are closed.