Posted on March 20, 2020 at 11:08 AM
Recent reports have warned that those who tend to use password managers for keeping track of their login information may be in danger of losing such data to hackers. Even the top password managers seem to be vulnerable to the new trick that researchers have tried, which revolves around setting up fake applications that password managers might believe to be legitimate, as experts are warning.
A new study conducted by the researchers at the University of York has uncovered that two out of five password managers might fall for the trick, and give their users’ login details when presented with a fake Google app.
The app itself is malicious, and while the researchers did not reveal too many details in fear of hackers exploiting the flaw, they did reveal that many of the best password managers out there had rather weak criteria when it comes to identifying fake and rogue apps.
In other words, if hackers somehow manage to trick people into installing fake versions of some popular apps, there is a chance that they might gain access to the victims’ phones. Password managers would not act as a safe way of logging in, as the app would record the login data and send it to hackers, who could then log into the users’ real accounts and exploit them.
Furthermore, password managers are often in danger, themselves, as many of them do not impose login limits. As a result, it is not impossible for the password manager apps to be hacked into by using some of the less sophisticated attacks, such as brute force password attacks. This is an attack where hackers would try out numerous passwords until one of them succeeded, and while the process could last for hours per account, any successful break-in could have devastating consequences.
Study author says that password managers need to be more secure
Dr. Siamak Shahandashti, the senior author of the study from the University of York’s Department of Computer Science, noted that password managers act as gatekeepers to a lot of sensitive information. As such, they need to be secure themselves, and with the new threat in mind, rigorous security analysis of all password managers is nothing less than crucial.
Dr. Shahandashti added that the study shows that phishing attacks via malicious apps are highly feasible. All that hackers need to do is trick the victim into installing the app, and the app would present itself as a legitimate option to password managers, which will offer to autofill the login page. So far, such apps have had a high chance of success, he warned.
The researcher also suggested that commercial password managers need to deploy some extra screening measures before they decide to share the password details with the app that the user is trying to access. This should be done for every app, and it should become a standard measure that would protect users from similar issues in the future. Not only that, but password managers should also limit login attempts, so that brute force attacks would not be possible.
Some password managers already employ such protective measures, allowing users to try to log in up to three to five times before disabling login attempts for a short period of time. This is a measure that should be added to every password manager out there, for the safety of the users themselves.
In the end, password managers are entrusted to remember unique and complex passwords that would be too difficult for the users to remembe. As such, they need to be secure and as hack-resistant as possible. This is why the companies behind such apps must make sure that their apps are as safe as they can get, and that different hacking attempts against them are unsuccessful.