Tweet
Security slip-ups in 1Password and other password managers 'extremely worrying'
Everything's fine now. Patch. Keep using them. Move along
28 Feb 2017 at 20:14, Thomas Claburn
Password management applications, recommended by many security experts as the only viable way to deal with large sets of passwords that are unique and sufficiently complex, introduce their own set of problems – namely the general fallibility of software.
A group of security researchers called TeamSIK from the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt, Germany, on Tuesday published its security assessment of nine popular password management applications on Android devices and found them all wanting.
"The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials," the group said. "Instead, they abuse the users' confidence and expose them to high risks."
TeamSIK looked at My Passwords, Informaticore Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords, and 1Password.
In each application, the group identified one or more security vulnerabilities, all of which were reported to app makers and were fixed prior to the publication of the group's findings. Among the better-known password managers, fix times are respectable – a week to a month in most cases. In other words, the bugs disclosed today have been fixed. Make sure you're patched, because now hackers have all the information they need to exploit vulnerable versions of the software.
The flaws identified were sometimes serious, such as storing the master password entered by the user in plaintext or using hard-coded crypto-keys in application code. In other cases, design flaws allowed the researchers to extract supposedly secure credentials using a third-party app.
The researchers observe that many of the apps fail to account for the possibility of clipboard sniffing, which may be done to capture credentials that have been copied into memory in order to paste them into a password entry interface.
Complicating the vulnerability picture, many of these apps implement convenience features that affect app security. For example, some of the apps include a built-in web browser, which expands the scope of possible flaws. Also, the researchers found auto-fill functions in applications could be used to capture stored secrets through "hidden phishing" attacks.
Here's a rundown of the problems found and disclosed today by the team:
MyPasswords
SIK-2016-019: Read Private Data of My Passwords App
SIK-2016-020: Master Password Decryption of My Passwords App
SIK-2016-043: Free Premium Features Unlock for My Passwords
Informaticore Password Manager
SIK-2016-021: Insecure Credential Storage in Mirsoft Password Manager
LastPass Password Manager
SIK-2016-022: Hardcoded Master Key in LastPass Password Manager
SIK-2016-023: Privacy, Data leakage in LastPass Browser Search
SIK-2016-024: Read Private Date (Stored Masterpassword) from LastPass Password Manager
Keeper Password-Manager
SIK-2016-025: Keeper Password Manager Security Question Bypass
SIK-2016-026: Keeper Password Manager Data Injection without Master Password
F-Secure KEY Password Manager
SIK-2016-027: F-Secure KEY Password Manager Insecure Credential Storage
Dashlane Password Manager
SIK-2016-028: Read Private Data From App Folder in Dashlane Password Manager
SIK-2016-029: Google Search Information Leakage in Dashlane Password Manager Browser
SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
SIK-2016-031: Subdomain Password Leakage in Internal Dashlane Password Manager Browser
Hide Pictures Keep Safe Vault
SIK-2016-032: Keepsafe Plaintext Password Storage
Avast Passwords
SIK-2016-033: App Password Stealing from Avast Password Manager
SIK-2016-035: Insecure Default URLs for Popular Sites in Avast Password Manager
SIK-2016-037: Broken Secure Communication Implementation in Avast Password Manager
1Password – Password Manager
SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
SIK-2016-041: Read Private Data From App Folder in 1Password Manager
SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
This is not to say that password management applications add more risk than they remove; rather, those using these apps must make maintaining them a priority in order to keep them secure. And if you do that, you're sorted.
"Since all vendors fixed their security issues, our advice to the customers is to always update their apps," said Siegfried Rasthofer, a malware researcher at Fraunhofer SIT, in an email to The Register. ®
Everything's fine now. Patch. Keep using them. Move along
28 Feb 2017 at 20:14, Thomas Claburn
Password management applications, recommended by many security experts as the only viable way to deal with large sets of passwords that are unique and sufficiently complex, introduce their own set of problems – namely the general fallibility of software.
A group of security researchers called TeamSIK from the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt, Germany, on Tuesday published its security assessment of nine popular password management applications on Android devices and found them all wanting.
"The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials," the group said. "Instead, they abuse the users' confidence and expose them to high risks."
TeamSIK looked at My Passwords, Informaticore Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords, and 1Password.
In each application, the group identified one or more security vulnerabilities, all of which were reported to app makers and were fixed prior to the publication of the group's findings. Among the better-known password managers, fix times are respectable – a week to a month in most cases. In other words, the bugs disclosed today have been fixed. Make sure you're patched, because now hackers have all the information they need to exploit vulnerable versions of the software.
The flaws identified were sometimes serious, such as storing the master password entered by the user in plaintext or using hard-coded crypto-keys in application code. In other cases, design flaws allowed the researchers to extract supposedly secure credentials using a third-party app.
The researchers observe that many of the apps fail to account for the possibility of clipboard sniffing, which may be done to capture credentials that have been copied into memory in order to paste them into a password entry interface.
Complicating the vulnerability picture, many of these apps implement convenience features that affect app security. For example, some of the apps include a built-in web browser, which expands the scope of possible flaws. Also, the researchers found auto-fill functions in applications could be used to capture stored secrets through "hidden phishing" attacks.
Here's a rundown of the problems found and disclosed today by the team:
MyPasswords
SIK-2016-019: Read Private Data of My Passwords App
SIK-2016-020: Master Password Decryption of My Passwords App
SIK-2016-043: Free Premium Features Unlock for My Passwords
Informaticore Password Manager
SIK-2016-021: Insecure Credential Storage in Mirsoft Password Manager
LastPass Password Manager
SIK-2016-022: Hardcoded Master Key in LastPass Password Manager
SIK-2016-023: Privacy, Data leakage in LastPass Browser Search
SIK-2016-024: Read Private Date (Stored Masterpassword) from LastPass Password Manager
Keeper Password-Manager
SIK-2016-025: Keeper Password Manager Security Question Bypass
SIK-2016-026: Keeper Password Manager Data Injection without Master Password
F-Secure KEY Password Manager
SIK-2016-027: F-Secure KEY Password Manager Insecure Credential Storage
Dashlane Password Manager
SIK-2016-028: Read Private Data From App Folder in Dashlane Password Manager
SIK-2016-029: Google Search Information Leakage in Dashlane Password Manager Browser
SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
SIK-2016-031: Subdomain Password Leakage in Internal Dashlane Password Manager Browser
Hide Pictures Keep Safe Vault
SIK-2016-032: Keepsafe Plaintext Password Storage
Avast Passwords
SIK-2016-033: App Password Stealing from Avast Password Manager
SIK-2016-035: Insecure Default URLs for Popular Sites in Avast Password Manager
SIK-2016-037: Broken Secure Communication Implementation in Avast Password Manager
1Password – Password Manager
SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
SIK-2016-041: Read Private Data From App Folder in 1Password Manager
SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
This is not to say that password management applications add more risk than they remove; rather, those using these apps must make maintaining them a priority in order to keep them secure. And if you do that, you're sorted.
"Since all vendors fixed their security issues, our advice to the customers is to always update their apps," said Siegfried Rasthofer, a malware researcher at Fraunhofer SIT, in an email to The Register. ®