Researchers from Aalto University and the University of Helsinki have found that password managers aren’t as safe as people think. The team found that over 10 computer security credentials are vulnerable to insider cyber-attacks. These vulnerabilities were found in security managers that are used every day by millions of people to store their private login information. There were also vulnerabilities found in other apps that run on Windows, macOS and Linux.
The average password manager has two parts. The first part is the password vault where the passwords are stored. The second part is an extension that is linked to the internet browsers. Password managers are run as separate processes but on one computer. These processes use inter-process communication (IPC) to exchange the data, which remains on one computer.
IPC typically is thought of as a safe process because it protects from outside attacks. But it doesn’t protect from internal attacks and other processes that are run within the same computer. Malicious processes could be started and then the user could access data in the same IPC communications channel.
"Many security-critical applications, including several password managers, do not properly protect the IPC channel. This means that other users' processes running on a shared computer may access the communication channel and potentially steal users' credentials," explains Thanh Bui, a doctoral candidate at Aalto University.
While one computer might be assumed to be a personal, safe computer, every computer could have multiple users. In large companies normally more than one person uses a computer. Large companies use a centralized identity within an access management system so employees can log into any computer in the company and have all of their saved information available on that computer. While this is very convenient to, it also leaves computers vulnerable to an internal attack by any user.
"The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication. Developers may not understand the security properties of different IPC methods, or they place too much trust in software and applications that run locally. Both explanations are worrisome," says Markku Antikainen, a post-doctoral researcher at the University of Helsinki.
The paper on this research is available at the Usenix Conference website.