Password Manager Vendors Respond to Sniffing Vulnerability Allegations
- Creators of the password managers that were tested out by ISE recently have responded to the allegations.
- Some disagree with the researchers’ claims, while others say that legacy versions of their products were inexplicably used for the study.
- LastPass issued a patch but removed ISE researcher from their bug bounty after performing unauthorized disclosure through the study.
As we reported two days back, the ISE (Independent Security Evaluators) have conducted a detailed study on how secure the top password manager tools are against sniffing attacks. The study focused on popular and widely used products like 1Password, Dashlane, KeePass, and LastPass, concluding that none of them are adequately safe. The study findings have shown that the way the keylogging and clipboard management is implemented in these tools, it would be possible for an attacker who knows what they’re doing to get the passwords from the memory strings when the tools are not in use.
As expected, the ISE report caused a stir in the community, and while the researchers still suggested the use of password managers, exposing some critical flaws in the way these tools work wasn’t very encouraging. The developers of the aforementioned tools have responded through official statements on their respective websites as well as on ZDNet, playing down the study and the way the findings were given out to the public.
Dashlane’s CEO Emmanuel Schalit has stated the following: “We respectfully disagree with the researcher’s claim that this can be truly fixed by Dashlane or anyone for that matter. Once the operating system or device is compromised, an attacker will end up having access to anything on the device and there is no way to effectively prevent it. There are solutions that amount to ‘putting the information under the rug’ but any attacker sufficiently sophisticated enough to remotely take control of the user’s device would go around these solutions very easily.”
CTO of LastPass, Sandor Palfy has made the following statement: “This particular vulnerability, in LastPass for Applications, our legacy, local Windows Application (which accounts for less than 0.2 percent of all LastPass usage) was brought to our attention by researchers through our Bug Bounty Program. In order to read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer. We have already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report. To mitigate the risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind.”
Jeffrey Goldberg, a high-standing engineer at 1Password has written the following regarding the memory management problem of their products: “Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly. Long term, we may not need to make such a tradeoff. But given the tools and technologies at our disposal, we have had to make a decision as to how best to keep our users secure. I stand by our decision. The realistic threat from this issue is limited. An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer.”
Finally, a KeePass representative has stated that: “For some operations, KeePass must make sensitive data available unencrypted in the process memory. For example, in order to show a password in the standard list view control provided by Windows, KeePass must supply the cell content (the password) as an unencrypted string (unless hiding using asterisks is enabled).”
Are the above convincing to you, or do you expect important fixes to be rolled out by the password manager developers in future versions? Let us know where you stand in the comments section below, and share your password management choice with the rest. Don’t forget that you can always check out our socials on Facebook and Twitter for more fresh tech news like this one.