sb-eu logo
Story image

Case study: 40% of password managers vulnerable to breach

Password managers may be vulnerable to cyber attack by fake apps, according to new research released today.

One of the first lines of defence against credential theft and malware, some password managers have been fooled by researchers from the University of York into giving away passwords.

As cyber threats get more sophisticated, security experts are urging internet users to use unique, random and complex passwords for every account they have. 

If a cyber attacker infiltrates an account and gains access to a single password, which is used across different accounts, that attacker has access to every account associated with that password. 

Password managers eliminate the need to remember dozens of complex passwords by storing them on their network, as well as suggesting secure passwords when signing up to an online service. 

But serious issues may arise if they are subject to malicious attacks.

University of York researchers tested the extent of the negative impact of a password manager breach by creating a malicious app to impersonate a legitimate Google app.

They used this app to fool two out of five of the password managers they tested into giving away a password.

This outcome revealed that these password managers used weak criteria for both identifying legitimate apps, and which username and password to suggest for autofill.

The University of York says this weakness allowed them to impersonate a legitimate app simply by creating a ‘rogue app’ with an identical name. 

Researchers also found some password managers were vulnerable to a ‘brute force’ attack, as they did not impose a limit on the number of times a user could attempt to login to an account.

This means attackers could gain access to an account within two and a half hours if the account was protected by a four-digit PIN.

“Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information,” says University of York member of the Department of Computer Science and senior author of the study, Siamak Shahandashti. 

“Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” says Shahandashti.

“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”

Despite the concerning results of the study, security experts still recommend using trusted password managers as part of their cybersecurity regimen.

“Alarming as this research may seem, it is still possible to reduce the risk of attacks like these,” says ESET cybersecurity specialist Jake Moore.

“Password managers are great ways to store unique, complex passwords – but they work best with two-factor authentication. 

“If threat actors get their hands on your passwords, they would still need your unique one time password in your authenticator app to be granted full access to the account,” says Moore.

“Hopefully, this will not put people off password managers, as we still have a long way to go to help people realise their full potential.”

Story image
Endace and Palo Alto Networks launch integration to empower security teams
“The combination of Cortex XSOAR’s powerful orchestration and automation capabilities with the rich network history recorded by the EndaceProbe Analytics Platform gives security operations access to the conclusive forensic evidence they need to respond quickly and accurately to threats.” More
Story image
Thycotic launches DevOps Secrets Vault solution for greater cloud security
“DevOps Secrets Vault is a cloud-based vault that balances the security and velocity that DevOps teams require for this growing part of the enterprise attack surface."More
Story image
HackerOne hits $100M milestone with bug bounties
“We have arrived at the point in history where you are ignorant and negligent if you do not have a way to receive useful input from ethical hackers."More
Story image
Rise in cyberattacks targeting the cloud as use of collaboration tools increase
“While we are seeing a tremendous amount of courage and global goodwill to overcome the COVID-19 pandemic, we also are unfortunately seeing an increase in bad actors looking to exploit the sudden uptick in cloud adoption."More
Story image
Google most popular brand to impersonate in phishing campaigns - report
A new report from Barracuda released today shows 100,000 attacks impersonating reputable brands, with 65% of this figure using Google as a masquerade.More
Story image
Acronis teams up with A.S. Roma to advance AI in sport
Acronis has officially announced its artificial intelligence (AI) partnership with Associazione Sportiva Roma, an Italian professional football club also known as A.S Roma.More