Researchers found vulnerabilities in password managers




Researchers at the Berkeley University vulnerabilities have been found in several password managers, including the popular LastPass. In the case of the LastPass bookmarklet was vulnerable; malicious websites could decrypt all passwords.

Password The researchers made ​​their findings only now been published , even if it’s vulnerabilities that have been discovered in the summer of last year and for the most part at that time already been resolved. The researchers took five password managers under the microscope, including LastPass, but also Myllogin and RoboForm.

It is notable that one of the managers surveyed password, NeedMyPassword has never responded to the findings of the researchers and therefore still vulnerable. The other companies responded to emails within a week of the researchers and most security issues been resolved.

One of the most serious problems found himself the bookmarklet in popular LastPass. Bookmarklets are ordinary bookmarks instead of a URL containing Javascript, which is carried out on the site where the user is currently located. Three of the password managers use bookmarklets to make for browsers that they have no extension, such as Safari on iOS, which does not support extensions. Autofill user names and passwords to However, all three bookmarklets were vulnerable.

In the case of the LastPass bookmarklet could easily be abused by the website where a user used the bookmarklet. The website can be the keys used to protect passwords, read and then read the entire password database from the user. RoboForm and MyLlogin had similar vulnerabilities.

Almost all password managers were vulnerable to abuse from their websites, such as cross-site request forgery. It is from another website http request made ​​to the password manager, which is interpreted as a command from the user. The password manager In the case of LastPass the URLs of websites for which passwords are stored could thereby be read, as well as encrypted passwords.

The researchers emphasize that password managers have the potential to be useful, but in practice they are able to properly ensure that users are less safe: the tools are indeed a single point of failure. When a user accesses a password manager, he has access to all passwords immediately, so the impact is greater.


Tags: , ,

In: Technology & Gadgets Asked By: [15500 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »