Some commercial password managers vulnerable to attack by fake apps
Security experts recommend using a complex, random and unique password for every online account, but remembering them all would be a challenging task. That’s where password managers come in handy.
Encrypted vaults are accessed by a single master password or PIN, and they store and autofill credentials for the user. However, researchers at the University of York have shown that some commercial password managers (depending on the version) may not be a watertight way to ensure cybersecurity.
After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password.
What is the weakness?
The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.
Senior author of the study, Dr Siamak Shahandashti from the Department of Computer Science at the University of York, said: “Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information. Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.
“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success.”
“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”
“I am not aware of the different ways a password manager could properly identify an app so not to fall victim to this kind of attack. But it does remind me of concerns we’ve had a long time about alternative keyboard apps getting access to anything you type on your phone or tablet,” Per Thorsheim, founder of PasswordsCon, told Help Net Security.
“The risk presented with autofill on compromised websites pertains only to the site’s credentials, not the user’s entire vault. It is always in the user’s best interest to enable MFA for all online accounts, including LastPass, since it can protect them further,” a LastPass spokesperson told us via email.
“While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack detailed in this report. Our app requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted.”
The researchers also discovered some password managers did not have a limit on the number of times a master PIN or password could be entered. This means that if hackers had access to an individual’s device they could launch a “brute force” attack, guessing a four digit PIN in around 2.5 hours.
The researchers also drew up a list of vulnerabilities identified in a previous study and tested whether they had been resolved. They found that while the most serious of these issues had been fixed, many had not been addressed.
Some issues have been fixed long ago
The researchers disclosed these vulnerabilities to the companies developing those password managers.
Lead author of the study, Michael Carr, said: “New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors. Some were fixed immediately while others were deemed low priority. More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and useable option. While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store.”
Commenting on this research for Help Net Security, Jeffrey Goldberg, Chief Defender Against the Dark Arts at 1Password, said: “Academic research of this nature can be misread by the public. The versions of 1Password that were examined in that study were from June and July 2017. As is the convention for such research, the researchers talked to us before making their findings public and gave us the opportunity to fix things that needed to be fixed. The research, and publication of it now, does have real value both to developers password managers and for future examination of password managers, but given its historical nature, it is not a very useful guide to the general public in accessing the current state of password manager security.”