Security News > 2020 > March > Flaw in Password Managers Allowed Apps to Steal Credentials
One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users' credentials.
Password managers are encrypted vaults employed to store credentials and other sensitive information, and they allow the use of strong, unique credentials for each of the applications and online services an individual uses.
The most important of the discovered flaws could have allowed a malicious app to impersonate a legitimate program and trick the password manager into revealing stored credentials for the respective service, the researchers explain in a newly published whitepaper.
For the attack to be successful the malicious app needs to be installed on the victim's Android device, for the victim to use the vulnerable password managers and their autofill prompts, and to have credentials for the target application stored in the encrypted vault.
"Although the attack will not be aware as to what account this password is associated with, they can try the credentials with a precompiled list of websites for which autofill is known not to work. The suggested mitigation for this issue would be for the password managers to provide an option to clear the clipboard after a set amount of time," the researchers note.