Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

The New Acunetix V12 Engine


We’ve talked a lot about using a password manager to secure, generate and manage your passwords – way back since 2008 when we introduced you to the Password Hasher Firefox Extension.

Since then we’ve also mentioned it multiple times in articles where plain text passwords were leaked during hacks, such as the Cupid Media hack which exposed 42 Million plain text passwords.

Password Manager Security

Now some researchers have ganged up and are taking a really close look at some of the popular password management solutions and password manager security. Honestly I haven’t heard of My1Login, PasswordBox or NeedMyPassword and wonder why they are included over more popular choices like PassPack and 1Password.

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials.

“Critical” vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California Berkeley researchers as a “wake-up call” for developers of web password vaults.

“Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” Researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in the paper The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers (PDF).

“We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords.

“The root-causes of the vulnerabilities are also diverse: ranging from logic and authorisation mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF (cross site request forgery) and XSS (cross site scripting).”

The LastPass bookmarklet option which permitted ad-hoc integration with Safari on iOS was found vulnerable if users were tricked into running the Java code on an attackers’ site.


I just hope this means that PassPack is so secure they left it out (because that’s the one I use). I also chose PassPack because the choice was really between that or LastPass and LastPass has faced some security issues and does some things in rather pointless ways.

PassPack address the LastPass masked password features for example here: Why Masked Passwords Are a Serious Security Hole

I’m fairly certain though, all current password management solutions have security flaws – I just hope the companies developing them take them seriously (however much of an edge case they are) and address them.

A carder, for example, could set up a fake banking site in an attempt to con the less than one percent of LastPass users running bookmarklets to log in. Doing so could allow attackers to extract passwords from the victim’s LastPass vault.

A second CSRF bug affected LastPass one time passwords. It could allow attackers to see which apps and devices were running LastPass, to steal the entire master password-encrypted vault for later brute-forcing, and to erase any stored website password.

The disclosure prompted LastPass to issue a statement playing down vulnerabilities affecting its Java bookmarklets and one time passwords which if run on a malicious website could compromise user accounts prior to a fix pushed out in September.

“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” chief information officer Joe Siegrist said.

“The OTP attack is a ‘targeted attack’ requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack [for each] user [which is] activity which we have not seen.

“Even if this was exploited, the attacker would still not have the key to decrypt user data.”

The research did not signal curtains for web password managers, but rather served as a warning to developers and users of inherent security risks.

You can check out the original paper here – The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers [PDF].

My sceptical side however does see this a little like a pre-marketing stunt, where these guys prove everyone else is insecure (or at least find some guys are partially insecure), publish the details then come out with a new super secure alternative..which you have to pay for obviously.

We shall of course have to wait and see if that happens.

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


One Response to Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

  1. Stefan July 22, 2014 at 10:23 pm #

    There are tons of different password managers. I prefer two which are my favorite. Unfortunately I see one of the here.

    Maybe we all have to check when they issued an update or reported security issues.