After analyzing five popular web-based password managers—LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword—researchers found critical vulnerabilities capable of granting hackers access to a user’s website credentials.
“We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared pass-words,” read the researcher’s analysis paper. “The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS.”
The University of California Berkeley research team reported the vulnerabilities and most vendors have issued patches (NeedMyPassword was the only vendor not to respond to the disclosure).
LastPass published a blog post notifying users of the vulnerabilities, yet assured users changing their master passwords and generating new passwords was likely unnecessary.
“Regarding the One Time Passwords (OTPs) attack, it is a ‘targeted attack,’ requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen,” read the post.
The researchers also noted that “the wide spectrum of discovered vulnerabilities makes a single solution unlikely” with other vulnerabilities still possibly undiscovered. However, the analysis offers guidance and mitigations in response to the findings.
In addition, the research team revealed future plans to create tools capable of automatically identifying such vulnerabilities and developing a “secure-by-construction” password manager.
Read More Here…