A large number of top password managers may be vulnerable to cyberattack by fake applications, new reports have warned.
Researchers at the University of York found that two out of five password managers gave out customer details when presented with a fake malicious Google app.
While the researchers did not delve into specific details, most of the tested password manager applications had weak criteria of identifying rogue apps, which resulted in this vulnerability being so damaging.
- WhatsApp Desktop patches major security vulnerability
- Chrome patches another serious zero-day vulnerability
- Almost all mobile apps vulnerable to malware
The researchers added that if hackers are somehow successful in getting victims to install such fake applications, there is a chance they could get easily access to the passwords.
Since many password manager apps do not impose a login limit using a pin or other login, these apps can often be hacked into with the help of a brute force password attack in just over a couple of hours.
Senior author of the study, Dr Siamak Shahandashti from the Department of Computer Science at the University of York, noted that “Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial. Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success.”
He also suggested that these commercial password managing apps should deploy additional screening measures before sharing password details with other apps and also use better security mechanism to limit login attempts.
While password managers are entrusted to securely remember unique and complex passwords, it becomes imperative for the companies behind these apps to ensure that their applications are safe and are not prone to hack easily.
Via: IT Pro