SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Case study: 40% of password managers vulnerable to breach
Wed, 18th Mar 2020
FYI, this story is more than a year old

Password managers may be vulnerable to cyber attack by fake apps, according to new research released today.

One of the first lines of defence against credential theft and malware, some password managers have been fooled by researchers from the University of York into giving away passwords.

As cyber threats get more sophisticated, security experts are urging internet users to use unique, random and complex passwords for every account they have.

If a cyber attacker infiltrates an account and gains access to a single password, which is used across different accounts, that attacker has access to every account associated with that password.

Password managers eliminate the need to remember dozens of complex passwords by storing them on their network, as well as suggesting secure passwords when signing up to an online service.

But serious issues may arise if they are subject to malicious attacks.

University of York researchers tested the extent of the negative impact of a password manager breach by creating a malicious app to impersonate a legitimate Google app.

They used this app to fool two out of five of the password managers they tested into giving away a password.

This outcome revealed that these password managers used weak criteria for both identifying legitimate apps, and which username and password to suggest for autofill.

The University of York says this weakness allowed them to impersonate a legitimate app simply by creating a ‘rogue app' with an identical name.

Researchers also found some password managers were vulnerable to a ‘brute force' attack, as they did not impose a limit on the number of times a user could attempt to login to an account.

This means attackers could gain access to an account within two and a half hours if the account was protected by a four-digit PIN.

“Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information,” says University of York member of the Department of Computer Science and senior author of the study, Siamak Shahandashti.

“Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” says Shahandashti.

“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app's purported package name.

Despite the concerning results of the study, security experts still recommend using trusted password managers as part of their cybersecurity regimen.

“Alarming as this research may seem, it is still possible to reduce the risk of attacks like these,” says ESET cybersecurity specialist Jake Moore.

“Password managers are great ways to store unique, complex passwords – but they work best with two-factor authentication.

“If threat actors get their hands on your passwords, they would still need your unique one time password in your authenticator app to be granted full access to the account,” says Moore.

“Hopefully, this will not put people off password managers, as we still have a long way to go to help people realise their full potential.