Concetti Chiave
Popular password manager applications, both desktop and browser-based, are susceptible to leaking user credentials in plaintext from system memory, posing significant security risks.
Sintesi
The study examines the security of 24 popular password manager (PM) applications, including 12 desktop and 12 browser-based plugins, across six representative usage scenarios. The key findings are:
- Only 3 desktop PM applications and 2 browser plugins do not store plaintext passwords in system memory.
- Across all scenarios, 50 instances of password leaks were observed, with 24 for master passwords and 26 for entry passwords.
- Many PMs expose the same password multiple times in memory, increasing the chances of an attacker discovering it.
- The authors responsibly disclosed the findings to the affected vendors, with only 2 acknowledging the issue and reserving a CVE ID.
- The paper discusses best practices for secure password management, including the use of cryptographic primitives, obfuscation techniques, and leveraging operating system security features like UAC and Protected Process Light.
Statistiche
The study found that across all scenarios, 50 instances of password leaks were observed, with 24 for master passwords and 26 for entry passwords.
Citazioni
"Despite the sensitive nature of these applications, our results show that across all scenarios, only three desktop PM applications and two browser plugins do not store plaintext passwords in the system memory."
"Oddly enough, at the time of writing, only two vendors recognized the exploit as a vulnerability, reserving CVE-2023-23349, while the rest chose to disregard or underrate the issue."