Some Popular Password Managers Found to Auto-Fill Passwords on Untrusted Websites

Last week, Google announced that it had discovered a security issue with certain password managers, which could be tricked into autosuggesting passwords on untrusted pages. One of the benefits of a password manager is when a password is set for an account, it is tied to a specific URL or domain. When the user lands on that domain or URL, the password for that resource will be auto-filled for convenience. This feature helps to protect against phishing attacks spoofing well-known brands. If a user of a password manager landed on a phishing site, which is on a domain that is not owned by the spoofed company, the password will not be auto-filled. Google discovered that multiple password managers could be tricked into auto-filling those passwords.

Google, which has developed its own password manager, discovered that popular password managers such as Dashlane, Bitwarden, and Apple’s Safari browser password manager could all be tricked into auto-filling passwords on untrusted pages. Google notified the affected firms and gave them 90 days to fix the security issues before going public. Bitwarden and Dashlane have both confirmed that changes have been implemented, although Dashlane was not convinced that the issue uncovered by Google posed a security risk. Dashlane said passwords would never be auto-filled unless a user had saved the domain previously. Apple had not confirmed whether a fix had been implemented at the time Google went public about the security issue.

According to Google, the security issue occurs in two different scenarios: If a web page has a CSP (content security policy) sandbox response header or if forms are placed inside a sandboxed iframe. In both cases, this tripped up certain password managers. Google confirmed that its own password technology on Chrome was unaffected, and LastPass, 1Password, and Microsoft’s Edge password manager did not have this issue.

According to Google, “Password managers should check whether content is sandboxed before auto-filling credentials. This can be done in many ways, but one way is to check self.origin of a page and refusing to fill in credentials if self.origin is ‘null’,” according to the Google advisory.” Consequently, vulnerable password managers could be tricked into auto-filling credentials into untrusted pages, without the master password. There are no indications that these vulnerabilities have actually been exploited.

Password Managers Under the Spotlight

If used properly, password managers can improve security, by helping to eliminate poor password practices; however, the recent data breach at LastPass and the credential stuffing attack targeting Norton LifeLock customers have led many customers to question their decision to use a password manager. It should be noted that while these incidents are concerning, they should come as no surprise. Password managers are an attractive target for cybercriminals and password manager providers and their customers are often targeted.

In the case of LastPass, hackers obtained a copy of users’ encrypted password vaults, which allowed the hackers to easily conduct brute force attempts to guess users’ passwords. There was no breach at Norton, only a brute force campaign on its customers. If strong passwords were set for users’ vaults, they could not be guessed. Some Norton users had, however, set passwords for their Norton accounts that have been used elsewhere. As such, their accounts were accessed.

These incidents demonstrate that simply using a password manager will not improve password security. These solutions are only secure if users ensure that they follow password best practices such as setting long, complex master passwords, implementing 2-factor authentication, and never reusing passwords on multiple accounts.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news