Researchers find security vulnerabilities in password managers

Berkeley University researchers have found vulnerabilities in multiple password managers, including the popular LastPass. In the case of LastPass, the bookmarklet was vulnerable; rogue websites could decrypt all passwords.

The researchers have only now published their findings, although they concern vulnerabilities that were discovered in the summer of last year and for the most part had already been resolved at that time. The researchers took a closer look at five password managers, including LastPass, as well as My1login and RoboForm.

Notably, one of the password managers surveyed, NeedMyPassword, never responded to the researchers’ findings and is thus still vulnerable. The other companies responded to emails from the researchers within a week and have now solved most security problems.

One of the most serious problems was the bookmarklet in the popular LastPass. Bookmarklets are ordinary bookmarks that contain javascript instead of a url, which is executed on the website where the user is currently located. Three of the password managers use bookmarklets to enable the autofill of usernames and passwords in browsers for which they do not have an extension, for example Safari on iOS, which does not support extensions. However, all three bookmarklets were vulnerable.

In the case of LastPass, the bookmarklet could easily be exploited by the website a user was using the bookmarklet on. The website can read the keys used to protect the passwords and then read the entire password database of the user. RoboForm and My1login had similar vulnerabilities.

Almost all password managers were vulnerable to abuse of their websites, for example cross site request forgery. An HTTP request is made to the password manager from another website, which is interpreted by the password manager as a command from the user. In the case of LastPass, the URLs of websites for which passwords are stored could be read, as well as encrypted passwords.

The researchers emphasize that password managers can potentially be useful, but that in practice they can actually make users more insecure: after all, the tools are a single point of failure. When a user gets access to a password manager, he has immediate access to all passwords, increasing the impact.