Everyone is spending a whole lot more time cooped up inside these days. For most of us, all that means is some extra hours spent watching television or catching up on our reading list, but the Covid-19 pandemic has already caused a big increase in scams and malicious online schemes.
All of us are staying home due to the coronavirus, even the hackers and criminals among us, which means those scam artists suddenly have more time to work on perfecting their craft. While we all certainly don’t need something else to worry about right now, we should all be extra diligent in looking after our online security throughout this pandemic. The lowest common denominator will always try and take advantage of others during hard times.
On that note, a new study conducted at the University of York has found that commercial password managers may be vulnerable to cyber-attacks via fake apps.
Modern technology, smartphones, and the internet are supposed to make our lives easier. However, keeping track of the endless passwords for all of our online accounts can be enough to make many of us scream. Gone are the days of AOL passwords like “passw0rd” or “TomSmith1234.” As the internet has grown, so have hacking activities, and everyone’s passwords need to be complex and impossible to guess.
That’s where password managers come in. These convenient services store all of our passwords in one, secure vault and autofill our credentials whenever it’s time to log in to an app, account, etc. Besides just being super helpful, these managers are advertised as being ultra-secure, often boasting airtight encrypted vaults.
Unfortunately, researchers put five popular password managers to the test, and two were fooled into giving away passwords. This was achieved through the creation of a malicious app that impersonated a real Google application.
All in all, some password managers generally use very weak criteria while determining the legitimacy and identity of an app, and deciding which stored passwords to auto-fill. All the study’s authors had to do to fool these managers was create a “rogue app” with an identical name to a real app.
“Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information. Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial,” explains senior study author Dr. Siamak Shahandashti from the Department of Computer Science at the University of York, in a press release.
“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” he adds. “In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”
Additionally, some of the tested password managers didn’t have a cap on the number of times a master password or PIN could be entered or guessed. So, if a hacker were to gain access to one’s device, that means they could conceivably continually perform a “brute force” attack in which they constantly guess PIN or password combinations. Researchers estimate that most devices would be compromised from such an attack within just two and a half hours.
On top of those glaring problems, the research team also took some time to see if various vulnerabilities within these managers detected during a previous study had been rectified. Most had been fixed, but some remained present and seemingly hadn’t been addressed at all. The study’s authors contacted the password managers found to be vulnerable and let them know what they had uncovered.
“New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors. Some were fixed immediately while others were deemed low priority,” notes lead study author Michael Carr. “More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and useable option. While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store.”
We all have a lot on our minds right now, and it’s easy to forget about issues like online security, but the scammers and schemers of the world may just be counting on everyone letting their guard down. Don’t forget to always double-check any new apps you’re thinking about downloading.
These findings are set to be presented at the 35th International Conference on ICT Systems Security and Privacy Protection this September.