Researchers expose vulnerabilities of password managers

March 16, 2020

Some commercial password managers may be vulnerable to cyber-attack by fake apps, new research suggests.

Security experts recommend using a complex, random and unique password for every online account, but remembering them all would be a challenging task. That's where password managers come in handy.

Encrypted vaults accessed by a single master password or PIN, they store and autofill credentials for the user and come highly recommended by the UK's National Cyber Security Centre.

However, researchers at the University of York have shown that some commercial password managers may not be a watertight way to ensure cyber security.

After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password.

The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.

Senior author of the study, Dr Siamak Shahandashti from the Department of Computer Science at the University of York, said: "Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information. Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.

"Our study shows that a phishing attack from a malicious app is highly feasible - if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success."

"In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app's purported package name."

The researchers also discovered some password managers did not have a limit on the number of times a master PIN or password could be entered. This means that if hackers had access to an individual's device they could launch a "brute force" attack, guessing a four digit PIN in around 2.5 hours.

As well as these new vulnerabilities, the researchers also drew up a list of previously disclosed vulnerabilities identified in a previous study and tested whether they had been resolved. They found that while the most serious of these issues had been fixed, many had not been addressed.

The researchers disclosed these vulnerabilities to the password managers.

Lead author of the study, Michael Carr, who carried out the research while studying for his MSc in Cyber Security at the Department of Computer Science, University of York, said: "New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors. Some were fixed immediately while others were deemed low priority.

"More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and useable option. While it's not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store."

Revisiting Security Vulnerabilities in Commercial Password Managers will be presented at the 35th International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2020) in September, 2020.
-end-


University of York

Related Cyber Security Articles from Brightsurf:

No honor among cyber thieves
A backstabbing crime boss and thousands of people looking for free tutorials on hacking and identity theft were two of the more interesting findings of a study examining user activity on two online 'carding forums,' illegal sites that specialize in stolen credit card information.

Cyber expert on 'insider threat' attacks
Dr Duncan Hodges, Senior Lecturer in Cyberspace Operations, Cranfield University, is actively researching insider threats such as the recent Twitter attack.

An agenda for multidisciplinary cyber risk research
The science of cyber risk is inherently interdisciplinary, argue Gregory Falco and colleagues in this Policy Forum, and no single academic field on its own can adequately address related problems.

Preventing cyber security attacks lies in strategic, third-party investments, study finds
Companies interested in protecting themselves and their customers from cyber-attacks need to invest in themselves and the vendors that handle their data, according to new research from American University.

First cyber agility framework to train officials developed to out-maneuver cyber attacks
To help train government and industry organizations on how to prevent cyberattacks, as part of a research project for the US Army, scientists at The University of Texas at San Antonio, developed the first framework to score the agility of cyber attackers and defenders.

Cyber of the fittest: Researchers develop first cyber agility framework to measure attacks
The framework proposed by the researchers will help government and industry organizations visualize how well they out-maneuver attacks over time.

Photons trained for optical fibre obstacle course will deliver stronger cyber security
Researchers from the NUS-Singtel Cyber Security Research & Development Laboratory demonstrate a way to improve quantum key distribution over fiber networks.

At least 57 negative impacts from cyber-attacks
Cyber-security researchers have identified a total of at least 57 different ways in which cyber-attacks can have a negative impact on individuals, businesses and even nations, ranging from threats to life, causing depression, regulatory fines or disrupting daily activities

UBC study: Publicizing a firm's security levels may strengthen security over time
New research from the UBC Sauder School of Business has quantified the security levels of more than 1,200 Pan-Asian companies in order to determine whether increased awareness of one's security levels leads to improved defense levels against cybercrime.

Improving cyber security in harsh environments
Many people don't worry about the security of their personal information until it's too late.

Read More: Cyber Security News and Cyber Security Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.