The found vulnerabilities allow hackers to get into user accounts which are stored in managers.
Researchers from the University of California have discovered vulnerabilities in five well-known password managers such as RoboForm, LastPass, My1Login, PasswordBox and NeedMyPassword. They could take user accounts to any sites.
The vulnerabilities were found in many password manager features, including one-time password, bookmarklets and shared password. Logic and authorization mistakes, even irregular web security model could cause vulnerability. Moreover such vulnerabilities as cross-site request forgery, and cross-site scripting were found. If the hacker is can force the user to launch a Java-code on attacker‘s site then successful use of vulnerability in an option bookmarklets in LastPass, which can carry out integration from Safari to iOS, will be possible.
For example, the carder is capable to create a site for online-banking and to force less than 1 percent of LastPass users use bookmarklets to enter. Then the hacker gets access to accounts, which are stored in password managers.
The CSRF-vulnerability concerns generation of one-time password function in LastPass allows hacker to observe what applications and devices are operated by this program. Such vulnerability is capable even to abduct the encrypted passwords for the following bruteforce. According to scientists this vulnerability was corrected last year.
Axarhöfði 14,
110 Reykjavik, Iceland