Nine popular password managers including "1 Password" and "LastPass" are reported to be at risk of information leakage

Using the same password with multiple services is considered a dangerous act of security. Since it becomes very difficult to manage passwords if different passwords are used for each service to be used, security experts say "1 Password"Or"LastPass"We recommend using a password manager such as. However, it is reported that these password managers are seriously vulnerable and may leak authentication information such as user ID and password.

TeamSIK - Password-Manager Apps
https://team-sik.org/trent_portfolio/password-manager-apps/

9 Popular Password Manager Apps Found Leaking Your Secrets
http://thehackernews.com/2017/02/password-manager-apps.html


It is a German security related laboratoryFraunhofer SITSecurity researchers belonging to TeamSIK of the popular password manager application popularly installed on Google Play 100,000 to 50 million times "LastPass"Keeper"1 Password"My Passwords"Dashlane Password Manager"Password Manager"F-Secure KEY"Keepsafe"Avast PasswordsWe tested nine of them. As a result, TeamSIK has discovered a total of 26 vulnerabilities in nine applications, each of which has been shown to have one or more vulnerabilities.

ByBlue Coat Photos

According to TeamSIK, it turns out that some password manager applications are vulnerable to data remaining attacks and clipboard sniffing. Some of the apps saved the master password in plain text, or one with encryption keys written in the application's code. One of the most important vulnerabilities was discovered in the Password Manager application developed by Informaticore and "The encryption keyHard codeBecause it is in the state that it can decrypt the encrypted master password relatively easily ". Similar vulnerabilities have also been found in LastPass.

Regarding this test result, TeamSIK says, "The overall result is very worried, and despite claiming that the password manager application is" safe ", TeamSIK sufficiently understands the stored password and ID information I can not say that it has a protection mechanism, "he says, and notes that the application is not of quality to protect important authentication information.

In fact, it is also clear that the password that the user managed with the Password Manager application was easily stolen by a malicious application installed on the user's device. In addition, although most password manager applications have "auto-fill function" which automatically inputs ID and password in text box, phishing scam targeting this function makes it easy to steal personal information Sex is also suggested.

A phishing scam targeting the auto-fill function already exists, and the risk is pointed out in the following article. In the article, a sample program of phishing scam targeting the auto-fill function installed in the browser appears.

There is a danger of personal information being stolen secretly if you use "auto-fill function" which automatically inputs name, mail address, address etc. - GIGAZINE


The detected vulnerability has been reported to the developer of the application, and since the research result has been fixed before it is published, if you are using these applications, please update the application promptly It is recommended that you do.