Security vulnerabilities found on password managers

News by Tim Ring

The wide spectrum of discovered vulnerabilities makes a single solution unlikely - UC Berkley report

The inability of software to generate truly random strings of characters - and software developers' attempts to develop pseudo-random seed generators to side-step the problem - has reared its ugly head once again, with US researchers revealing that at least five password managers have critical vulnerabilities in this area.

The random seed problem has been made worse in recent years by the evolution of powerful multi-core server and cloud-based platforms capable of running through several thousand password combinations every second.

This technique is perhaps most notably employed by Elcomsoft and others with their `password recovery' software, using powerful dictionary-based attacks.

According to researchers with the University of California at Berkeley, the five Web-based password managers - LastPass, My1Login, NeedMyPassword, PasswordBox and Roboform - have several flaws, including one-time password, bookmarklets and shared password issues.

The source of the weaknesses also varies, ranging from the aforementioned logic and authorisation mistakes caused by pseudo-random seed generators, all the way to misunderstandings about the Web security model, cross-site request forgery issues, and cross-site scripting challenges.

According to the researcher's paper on the subject - entitled `The Emperor's New Password Manager: Security Analysis of Web-based Password Managers' - the flaws can be exploited when a Web attacker controls one or more Web servers plus DNS domains, and then persuades a victim to visit domains controlled by them.

"We believe this is the key threat model for Web-based password managers that often run in the browser," says the analysis, adding that the research uncovered critical vulnerabilities in all the password managers and that, in four password managers, an attacker could steal arbitrary credentials from a user's account.

The good news is that all of the vulnerabilities detailed in the research were responsibly disclosed and have been fixed by the vendors concerned.

Amongst the most dramatic of the vulnerabilities were flaws in the features in LastPass, My1login and RoboForm, that offer access to credentials and auto-fill using JavaScript bookmarklet code.

The technical details are due to be discussed at a Usenix conference in San Diego in late August, but the peer-reviewed research paper - which details the key findings - makes for fascinating reading.

"Our work is a wake-up call for developers of Web-based password managers. The wide spectrum of discovered vulnerabilities, however, makes a single solution unlikely. Instead, we believe developing a secure Web-based password manager entails a systematic, defence-in-depth approach. To help such an effort, we provided guidance and mitigations based on our analysis," concludes the report.

"Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered. Future work includes creating tools to automatically identify such vulnerabilities and developing a principled, secure-by-construction password manager," it notes.

These conclusions were picked up by Andrew Gill, a security researcher with Context Information Security, who said that the research outlines a number of underlying security issues with password managers.

"One of the key concerns is that they lead users into a false sense of security by storing users' most sensitive data under one lock and key, within a system which is potentially exploitable by an attacker," he said.

"Context ultimately recommends that users should not use password managers due to such security concerns, but if they do wish to risk doing so they should be very cautious with whom they choose to share their information and how securely they craft their master keys," he added.

Peter Wood, CEO of pen-testing specialist First Base Technologies, said the issue of password managers is one he has been debating with security clients for many years.

“Our in-house approach is to avoid the cloud and use a USB-based password manager that you can carry around with you. This means you have total control over the physical security, and the electronic security – with 256 bit encryption – is a given,” he explained.

Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews