sb-as logo
Story image

Case study: 40% of password managers vulnerable to breach

Password managers may be vulnerable to cyber attack by fake apps, according to new research released today.

One of the first lines of defence against credential theft and malware, some password managers have been fooled by researchers from the University of York into giving away passwords.

As cyber threats get more sophisticated, security experts are urging internet users to use unique, random and complex passwords for every account they have. 

If a cyber attacker infiltrates an account and gains access to a single password, which is used across different accounts, that attacker has access to every account associated with that password. 

Password managers eliminate the need to remember dozens of complex passwords by storing them on their network, as well as suggesting secure passwords when signing up to an online service. 

But serious issues may arise if they are subject to malicious attacks.

University of York researchers tested the extent of the negative impact of a password manager breach by creating a malicious app to impersonate a legitimate Google app.

They used this app to fool two out of five of the password managers they tested into giving away a password.

This outcome revealed that these password managers used weak criteria for both identifying legitimate apps, and which username and password to suggest for autofill.

The University of York says this weakness allowed them to impersonate a legitimate app simply by creating a ‘rogue app’ with an identical name. 

Researchers also found some password managers were vulnerable to a ‘brute force’ attack, as they did not impose a limit on the number of times a user could attempt to login to an account.

This means attackers could gain access to an account within two and a half hours if the account was protected by a four-digit PIN.

“Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information,” says University of York member of the Department of Computer Science and senior author of the study, Siamak Shahandashti. 

“Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” says Shahandashti.

“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”

Despite the concerning results of the study, security experts still recommend using trusted password managers as part of their cybersecurity regimen.

“Alarming as this research may seem, it is still possible to reduce the risk of attacks like these,” says ESET cybersecurity specialist Jake Moore.

“Password managers are great ways to store unique, complex passwords – but they work best with two-factor authentication. 

“If threat actors get their hands on your passwords, they would still need your unique one time password in your authenticator app to be granted full access to the account,” says Moore.

“Hopefully, this will not put people off password managers, as we still have a long way to go to help people realise their full potential.”

Story image
Data leakage concerns dominate cloud security perceptions - Bitglass report
How secure is the public cloud? That’s what many IT and security professionals are asking as data leakage becomes a pressing concern for organisations and their data protection strategies.More
Story image
With cyber-threats continuing to evolve, organisations need to remain in the fight in 2021
Teams can make improvements in 2021 by having a more comprehensive understanding of the threats that are out there and defining how they conduct operations to offer flexibility to adapt better.More
Story image
Cybercriminals are leveraging AI for malicious use
"At a time where the public is getting increasingly concerned about the possible misuse of AI, we have to be transparent about the threats."More
Story image
Check Point a Leader in Firewall Magic Quadrant for 21st Time
It is the 21st time in the company’s history that Check Point has been named a Leader in Gartner’s Magic Quadrant for Enterprise Network Firewalls.More
Story image
Video: 10 Minute IT Jams - SonicWall VP on the benefits of Boundless Cybersecurity
Today's interviewee will discuss the ins and outs of the company's Boundless Cybersecurity solution and how it can help APAC organisations adjust to the new normal, as well as explaining the 'cybersecurity business gap'.More
Story image
New CompTIA cybersecurity skills certification available worldwide
Private sector business and defense organisations alike rely on CompTIA Security+ to build cybersecurity skills among their frontline cyber defenders.More