Password managers are vulnerable to insider hacking attacks

Password managers are vulnerable to insider hacking attacks, a team of researchers has discovered. They say they found more than ten computer security-critical applications that were vulnerable to insider hacking. The majority of the vulnerabilities were found in password managers that millions of people use. People use them, for example, to store their login details.

The researchers also found that many other applications were similarly susceptible to attacks and breaches across macOS, Linux, and Windows operating systems.

The researchers, from the University of Helsinki and Aalto University, presented their findings at the DEFCON Security Conference on August 12th, 2018. They also presented their research at the Usenix Security Conference on August 17th, 2018 (Abstract citation below).

People we call ‘hackers‘ carry out hacking attacksA hacker is somebody who gains access to a computer system by breaking password codes. They are not supposed to or allowed to do this, i.e., they do it without authorization.

Password Managers vulnerable
In an Abstract regarding the vulnerabilities of password managers, the researchers wrote: “The vulnerabilities can be exploited in enterprise environments with centralized access control that gives multiple users remote or local login access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable.”

Password managers typically have two parts

Computer software typically starts multiple processes to carry out different tasks. Password managers, for example, usually have two parts: an extension to an internet browser and a password vault. Both of them run on the same computer as separate processes.

These processes use a system we call IPC to exchange data. IPC stands for inter-process communication. The process does not send data to an outside network; it remains within the confines of the computer. Hence, most people consider IPC as secure.

However, the software has to protect its internal communication from other processes. Specifically, other processes running within that same computer.

Otherwise, malicious processes that other users initiated could access the data through the IPC communication channel.

Password managers might not protect IPC channels

Thanh Bui, a doctoral candidate at Aalto University, explained:

“Many security-critical applications, including several password managers, do not properly protect the IPC channel. This means that other users’ processes running on a shared computer may access the communication channel and potentially steal users’ credentials.”

Some PCs have multiple users

We generally see PCs as personal devices. However, many of them have more than one user.

Large companies, for example, may have a centralized identity and access management system. The system allows workers to log into any company computer.

In such companies, anybody in the company can launch an attack. If certain features are enabled, the attacker can also log into the computer remotely or as a guest.

Markku Antikainen, a post-doctoral researcher at the University of Helsinki, said:

“The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication.”

“Developers may not understand the security properties of different IPC methods, or they place too much trust in software and applications that run locally. Both explanations are worrisome.”

Following responsible disclosure, the research team has reported the vulnerabilities they detected to the respective vendors. The vendors have subsequently taken measures to prevent the attacks.

The researchers carried out this study partly in cooperation with Finnish cyber-security company F-Secure.

Citation:

Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer,” Thanh Bui and Siddharth Prakash Rao, Aalto University; Markku Antikainen, University of Helsinki; Viswanathan Manihatty Bojan and Tuomas Aura, Aalto University. 27th Usenix Security Symposium, Baltimore, MD, USA, August 17, 2018.