Flaws in top password managers can expose the very data they are supposed to protect, a study by researchers at Independent Security Evaluators (ISE) researchers found.
"100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” ISE CEO Stephen Bono said in a release announcing the findings of “Under the Hood of Secrets Management. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
Assessing the underlying functionality of 1Password, Dashlane, KeePass and LastPass on Windows 10, researchers discovered that in some cases, the master password could be found in plaintext in the computer’s memory when the password manager was locked and that they could extract the master password using standard memory forensics.
“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” ISE Lead Researcher, Adrian Bednare said, noting that once hackers get their hands on the master password, “it’s game over.”
Sandor Palfy, LastPassCTO, said in a statement sent to SC Media that the “particular vulnerability, in LastPass for Applications, the company’s “legacy, local Windows Application (which accounts for less than .2 percent of all LastPass usage) was brought to our attention by researchers through our Bug Bounty Program.”
He explained that to be able to “read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer.” The company has“already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report,” said Palfy. “To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind.”
He said there’s no indication that sensitive LastPass user data was compromised. “As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible,” said Palfy.
Dashlane CEO Emmanuel Schalit said the scenario outlined by the ISE researchers “is that of an attacker who would have taken total control of a user’s device,” a standard question in security not limited to Windows 10 but which “applies to any operating system and any digital device connected to the internet” and which are known to security pros as part of the security audit.
The company, in fact, has included the scenario in one of its whitepapers. “Even if consumers most likely do not read our security whitepapers, most of the large business clients that have adopted our (or any other identity management solution) are well aware of this type of scenario as part of their security audits,” Schalit said.
“It is indeed correct that if an attacker has full control of a device at the lowest operating systems level, the attacker can read any and every information on the device,” he said. “This is not the case just with Dashlane or with password managers, but of any software or in fact any device that stores digital information. In such a case, the attacker can also see everything that is typed by the user including passwords and credit card numbers, any information being exchanged by the device over the internet even if it is sent over https, any information the device is able to capture(audio, video, etc.) through the hardware attached to it, regardless of whether the user employs a password manager or not.”
While no mechanism can protect digital information on a fully compromised device, Schalit explained that data stored by Dashlane on a “device(i.e. on the hard drive) is encrypted and cannot be read by an attacker even if the attacker has full control of the device. This only applies to the data present in the memory of the device when Dashlane is being used by a user who has typed the Master Password.”
He warned against recommending people not use software or technology unless it’s 100 percent foolproof. “This leads to consumers having no protection against the most common threats (reusing passwords that can be stolen in large quantity online by hackers who target millions of consumers in one attack) for fear of a much less likely threat(an attacker being able to specifically take control of the device of a single user),” he said, noting the very real security problems caused by consumer apathy. “At the end of the day the only real protection against a scenario where an attacker has fully compromised a device is to not use that device.”