Data Stored in Plaintext When Locked
One major finding was that, in certain instances, the master password was residing in the computer’s memory in a plaintext readable format — no safer than storing it in a document or on the desktop as far as an adversary is concerned. Users are led to believe the information is secure when the password manager is locked. Though, once the master password is available to the attacker, they can decrypt the password manager database — the stored secrets, usernames and passwords. ISE demonstrated it is possible to extract master passwords and other login credentials from memory while the password manager was locked.
Simple Forensics Can Extract Master Passwords
Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.
“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” says lead researcher, Adrian Bednarek. “Once they have your master password, it’s game over.”
“People believe using password managers makes their data safer and more secure on their computer,” says ISE Executive Partner Ted Harrington. “Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.”
ISE recommends that to keep secrets more secure until vendors fix the issues, password manager users should not leave a password manager running in the background, even in a locked state, and terminate the process completely if they are using one of the affected password managers.
This report is part of an ongoing research initiative conducted by Independent Security Evaluators to protect consumers and businesses and to inform manufacturers of vulnerabilities that could expose their customers to risk. All vulnerabilities and relevant research findings have been responsibly disclosed to the manufacturers.