The Daily Mail reported yesterday afternoon that a Google researcher discovered a huge security flaw in Windows 10 that could have allowed hackers to steal the passwords of thousands of users. For around eight days this month, some versions of the operating system shipped with a password manager with a massive security flaw. The bug meant cybercriminals could easily take the passwords stored in the third-party app and use them to break into people’s online accounts. Steven, Senior Director of Software Security at Synopsys commented below.
John Steven, Senior Director of Software Security at Synopsys:
“Rather than defeating the underlying encryption that protects users’ credentials, many of these vulnerabilities attack password (PW) managers’ interfaces or the APIs that connect them and the browser they service. Security practitioners advise users to use PW management plugins rather than visiting the PW manager’s website in order to avoid the classic AppSec vulnerabilities in those web interfaces. Yet, Tavis discovered the latest vulnerability in the supposedly safer plugin.
PW managers will continue to be vulnerable to these kinds attacks, whether their users engage them as websites or plugins because of how they’re designed to work. PW managers need to be able to observe both data about the URL being visited as well as the structure of the page and its forms. They do this in order to facilitate matching the applicable credentials and then, per settings, auto-fill these forms for the user. This sensing/filling demands parsing and parsing has long been an Achilles heel of product security – a vector through which attacks can introduce malware and take control of an application.
Alternative approaches, such as LastPass on Apple’s iPad, do not have this level of integration. In this scenario, the user must switch between the application in which they’re authenticating and the separate LastPass mobile app. The user cuts/pastes their credentials between the two. This compartmentalisation disallows the kinds of exploitation we’re seeing time-and-time-again, but at a high cost to convenience.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.