A critical flaw in four popular password managers for Windows 10 can enable hackers to steal your login credentials to the PC’s memory. This is possible when the password manager is installed and enabled on your system.
Four popular password managers
The four password managers in question are 1Password, Dashlane, KeePass and LastPass. According to the researchers from Independent Security Evaluators (ISE), “these applications are a vulnerable target for the mass collection of data through malicious hacking campaigns.”
The researchers assessed the underlying functionality of the four password managers and discovered that in some cases, the master password could be found in plaintext in the computer’s memory even when the password manager was locked. The researchers could extract the master password using standard memory forensics.
“The ‘lock’ button on password managers is broken — some more severely than others,” said Adrian Bednarek, ISE Lead Researcher in a blog post.
Although the experiment was carried out on Windows apps, ISE research claims that the vulnerable password managers may also affect Apple Macs and mobile operating system.
“Each password manager also attempted to scrub secrets from memory. But residual buffers remained that contained secrets, most likely due to memory leaks, lost memory references, or complex GUI frameworks which do not expose internal memory management mechanisms to sanitize secrets,” Bednarek explained.
Given the popularity of password managers among the users, Bednarek indicates that it can entice the attackers to steal more amount of data via malware attacks. It is estimated that up to 60 million password managers potentially are at risk due to the new vulnerability.
According to The Washington Post, LastPass and Dashlane are aware of the issue. They are working to improve the security of their products.