Some commercial password managers vulnerable to attack by fake apps

2020-03-18 09:30

Researchers at the University of York have shown that some commercial password managers may not be a watertight way to ensure cybersecurity.

After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password.

The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill.

"In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app's purported package name."

Commenting on this research for Help Net Security, Jeffrey Goldberg, Chief Defender Against the Dark Arts at 1Password, said: "Academic research of this nature can be misread by the public. The versions of 1Password that were examined in that study were from June and July 2017. As is the convention for such research, the researchers talked to us before making their findings public and gave us the opportunity to fix things that needed to be fixed. The research, and publication of it now, does have real value both to developers password managers and for future examination of password managers, but given its historical nature, it is not a very useful guide to the general public in accessing the current state of password manager security."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/r7E3NC9211M/

#attack #passwordmanager