Carr, Michael and Shahandashti, Siamak F. orcid.org/0000-0002-5284-6847 (2020) Revisiting Security Vulnerabilities in Commercial Password Managers. In: International Conference on ICT Systems Security and Privacy Protection, 26-28 May 2020.
Abstract
In this work we analyse five popular commercial password managers for security vulnerabilities. Our analysis is twofold. First, we compile a list of previously disclosed vulnerabilities through a comprehensive review of the academic and non-academic sources and test each password manager against all the previously disclosed vulnerabilities. We find a mixed picture of fixed and persisting vulnerabilities. Then we carry out systematic functionality tests on the considered password managers and find four new vulnerabilities. Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result steal the user's password for the targeted service. We implement a proof-of-concept attack to show the feasibility of this vulnerability in a real-life scenario. Finally, we report and reflect on our experience of responsible disclosure of the newly discovered vulnerabilities to the corresponding password manager vendors.
Metadata
Item Type: | Conference or Workshop Item |
---|---|
Authors/Creators: |
|
Keywords: | Vulnerability Testing,Password Managers,Password Manager Security,Authentication,Software Security,Security Analysis,Security Attack |
Dates: |
|
Institution: | The University of York |
Academic Units: | The University of York > Faculty of Sciences (York) > Computer Science (York) |
Depositing User: | Pure (York) |
Date Deposited: | 04 Mar 2020 12:00 |
Last Modified: | 13 Feb 2025 05:35 |
Published Version: | https://doi.org/10.1007/978-3-030-58201-2_18 |
Status: | Published |
Refereed: | Yes |
Identification Number: | 10.1007/978-3-030-58201-2_18 |
Open Archives Initiative ID (OAI ID): | oai:eprints.whiterose.ac.uk:158056 |
Download
Filename: Revisiting_Security_Vulnerabilities_in_Commercial_Password_Managers_2.pdf
Description: Revisiting_Security_Vulnerabilities_in_Commercial_Password_Managers 2