Revisiting Security Vulnerabilities in Commercial Password Managers

03/04/2020
by   Michael Carr, et al.
0

In this work we analyse five popular commercial password managers for security vulnerabilities. Our analysis is twofold. First, we compile a list of previously disclosed vulnerabilities through a comprehensive review of the academic and non-academic sources and test each password manager against all the previously disclosed vulnerabilities. We find a mixed picture of fixed and persisting vulnerabilities. Then we carry out systematic functionality tests on the considered password managers and find four new vulnerabilities. Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result steal the user's password for the targeted service. We implement a proof-of-concept attack to show the feasibility of this vulnerability in a real-life scenario. Finally, we report and reflect on our experience of responsible disclosure of the newly discovered vulnerabilities to the corresponding password manager vendors.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
05/30/2022

A Small Leak Will Sink Many Ships: Vulnerabilities Related to Mini Programs Permissions

As a new format of mobile application, mini programs, which function wit...
research
10/15/2022

How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub

Proof-of-concept (PoC) of exploits for known vulnerabilities are widely ...
research
04/07/2020

Vulnerabilities Mapping based on OWASP-SANS: a Survey for Static Application Security Testing (SAST)

The delivery of a framework in place for secure application development ...
research
04/26/2022

Wasmati: An Efficient Static Vulnerability Scanner for WebAssembly

WebAssembly is a new binary instruction format that allows targeted comp...
research
09/06/2023

This is How You Lose the Transient Execution War

A new class of vulnerabilities related to speculative and out-of-order e...
research
08/13/2020

Déjà Vu: Side-Channel Analysis of Mozilla's NSS

Recent work on Side Channel Analysis (SCA) targets old, well-known vulne...
research
01/21/2020

Investigation of Data Deletion Vulnerabilities in NAND Flash Memory Based Storage

Semiconductor NAND Flash based memory technology dominates the electroni...

Please sign up or login with your details

Forgot password? Click here to reset