29 vulnerabilities found in top-rated password managers for Android
Researchers from the Fraunhofer Institute in Germany analyzed nine password managers for Android and found 29 “implementation flaws resulting in serious security vulnerabilities” that could allow data leaks in browser research, privacy issues and password leaks.
The apps include LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore’s Password Manager, F-Secure KEY, Keepsafe, Keeper and Avast Passwords. Some have been installed by more than 50 million users.
LastPass and Dashlane were rated two of “the best password managers of 2017” by PCMag; but probably not from a security point of view, as three vulnerabilities were detected in LastPass, four in Dashlane and five in 1Password.
“The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks,” the researchers said. “Some applications stored the entered master password in plaintext or implemented hard-coded crypto keys in the program code.”
Another major concern is that password managers also often offer to store PIN codes and credit card numbers.
“We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using “hidden phishing” attacks,” the researchers explained. “For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage.”
As of March 1, all vulnerabilities have been fixed.
Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds
December 21, 2021
Online Shoppers Beware, Mobile Scams Are on the Rise
December 17, 2021
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021