Feeds

Popular password protection programs p0wnable

LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword all flawed

The essential guide to IT transformation

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials.

"Critical" vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California Berkeley researchers as a "wake-up call" for developers of web password vaults.

"Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites," Researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in the paper The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers (PDF).

"We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords.

"The root-causes of the vulnerabilities are also diverse: ranging from logic and authorisation mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF (cross site request forgery) and XSS (cross site scripting)."

The LastPass bookmarklet option which permitted ad-hoc integration with Safari on iOS was found vulnerable if users were tricked into running the Java code on an attackers' site.

A carder, for example, could set up a fake banking site in an attempt to con the less than one percent of LastPass users running bookmarklets to log in. Doing so could allow attackers to extract passwords from the victim's LastPass vault.

A second CSRF bug affected LastPass one time passwords. It could allow attackers to see which apps and devices were running LastPass, to steal the entire master password-encrypted vault for later brute-forcing, and to erase any stored website password.

The disclosure prompted LastPass to issue a statement playing down vulnerabilities affecting its Java bookmarklets and one time passwords which if run on a malicious website could compromise user accounts prior to a fix pushed out in September.

"If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary," chief information officer Joe Siegrist said.

"The OTP attack is a 'targeted attack' requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack [for each] user [which is] activity which we have not seen.

"Even if this was exploited, the attacker would still not have the key to decrypt user data."

The research did not signal curtains for web password managers, but rather served as a warning to developers and users of inherent security risks.

"Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem," researchers wrote, adding that design of a secure password manager required systematic defense-in-depth.

The boffin quartet said they will develop tools to automate their vulnerability inspection for password managers and planned a "principled, secure-by-construction" password manager. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?