If you are on the Internet, you are vulnerable to cyber attacks and using a password manager should be part of your online life. But what if the password manager you are using is vulnerable and leaks your login credentials rather than securing them? The Univerity of York has the answer.
In a study conducted by researchers from the University of York, 5 password managers were analyzed out of a total sample size of 19 in order to find vulnerabilities. As a result, 4 new exploitable flaws were found whose findings have been explained below.
The apps tested include LastPass, Dashlane, Keeper, 1Password, and RoboForm and were chosen because of the extensive features they offer coupled with their popularity amongst users.
Firstly, researchers created a malicious app that looked like a legitimate one and tested it with these password managers. Both 1Password and LastPass’s Android applications succumbed to this trick leaking user credentials as a result and “which stored credentials to suggest for autofill”.
This was because of the lack of a strong criteria measure in place to verify the identity of these apps, instead only an identical package name was considered sufficient.
To offer convenience, some of these applications allow users to keep a 4 digit pin as an authentication measure instead of a long password. However, what happens if an attacker tries to brute force their way by repeatedly attempting different combinations? Ideally, a lockout should happen for a certain period of time. Yet both the Android applications of RoboForm and Dashlane had no such measure in place which would allow someone to test the 10,000 possible combinations in a mere 2.5 hours using a “manual random guessing attack”. Elaborating further on the possibilities, the researchers state:
If the attacker was to factor in common PINs the results suggest that the attack time would reduce to approximately 1.5 hours, and if the birth date of the victim is known, around 8% of the PINs are expected to be found within the first six guesses. We did not fully automate this attack, but we expect an automated attack to take considerably less time to brute force the PIN.
It is worth noting that knowing someone’s date of birth is not a rocket since these days thanks to data breaches containing personal data including names, email addresses, passwords and date of birth, etc.
In cases when autofill does not work on some websites, the password manager would allow users to copy their passwords on their clipboard. However, the researchers found out that all others except 1Password did not employ appropriate measures for security.
One may propose the case that locking one’s device which the majority of people do once done with usage prevents any unauthorized person accessing the clipboard anyways. To this, it has been highlighted that “Windows 10 allows access to the clipboard of a locked machine” making it a serious vulnerability.
Remember, last year, there were a number of Password Managers found vulnerable to Clipboard sniffing.
4. Brute Forcing Extensions
In line with their features, all of these companies provide browser extensions for user convenience. To log in, users need to enter their master passwords. The problem lies here in the fact that there are no maximum numbers of attempts in Keeper, Dashlane and 1Password inviting a dictionary brute force attack to be conducted. Testing this, the researchers engaged in 10 login attempts for each app, following this with a disclaimer though stating [PDF]:
Due to ethical reasons, the number of passwords attempted was considerably less than would be required in a dictionary or brute force attack, and it is possible that the vendors implement measures to identify a larger number of login attempts. Hence, we regard this only as an indicator of a possible vulnerability requiring further investigation.
To conclude, all of these newly discovered vulnerabilities were disclosed to these companies in a responsible manner which was documented alongside in the paper. Some have already been patched while some are a work in progress due to the lower degree of seriousness associated with them. Alongside, 6 previously known main vulnerabilities were also tested not giving pleasant results as shown in table 2 below extracted from the paper.
Keeping these in mind, we hope that these firms take user security seriously and work to fix all of the issues in line with the trust their users have placed in them.