The researchers built a proof-of-concept application that employs this attack on LastPass, but say that the same applies to 1Password as well. Thus, the researchers explain, a malicious app could impersonate a legitimate one by simply using an identical package name.
ROBOFORM VULNERABILITY ANDROID
The issue impacts the 1Password and LastPass Android applications, both of which were found vulnerable to a phishing attack due to the use of “weak matching criteria for identifying which stored credentials to suggest for autofill.”
ROBOFORM VULNERABILITY PASSWORD
The most important of the discovered flaws could have allowed a malicious app to impersonate a legitimate program and trick the password manager into revealing stored credentials for the respective service, the researchers explain in a newly published whitepaper ( PDF). Shahandashti analyzed five popular commercial password managers – LastPass, Dashlane, Keeper, 1Password, and RoboForm – and identified four previously unknown vulnerabilities, including one that could result in exposed credentials. University of York researchers Michael Carr and Siamak F. Many security experts encourage the use of these password managers, although they also recommend the adoption of multi-factor authentication (MFA), to ensure that attackers can’t access a user’s account even if the credentials protecting it are compromised. Password managers are encrypted vaults employed to store credentials and other sensitive information, and they allow the use of strong, unique credentials for each of the applications and online services an individual uses. One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users’ credentials.
0 kommentar(er)
