One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users’ credentials.
Password managers are encrypted vaults employed to store credentials and other sensitive information, and they allow the use of strong, unique credentials for each of the applications and online services an individual uses.
Many security experts encourage the use of these password managers, although they also recommend the adoption of multi-factor authentication (MFA), to ensure that attackers can’t access a user’s account even if the credentials protecting it are compromised.
University of York researchers Michael Carr and Siamak F. Shahandashti analyzed five popular commercial password managers – LastPass, Dashlane, Keeper, 1Password, and RoboForm – and identified four previously unknown vulnerabilities, including one that could result in exposed credentials.
The most important of the discovered flaws could have allowed a malicious app to impersonate a legitimate program and trick the password manager into revealing stored credentials for the respective service, the researchers explain in a newly published whitepaper (PDF).
The issue impacts the 1Password and LastPass Android applications, both of which were found vulnerable to a phishing attack due to the use of “weak matching criteria for identifying which stored credentials to suggest for autofill.”
Thus, the researchers explain, a malicious app could impersonate a legitimate one by simply using an identical package name. The researchers built a proof-of-concept application that employs this attack on LastPass, but say that the same applies to 1Password as well.
“This app had a login screen […] that was designed to mi ..
Support the originator by clicking the read the rest link below.
