Researchers from the Fraunhofer Institute in Germany analyzed nine password managers for Android and found 29 “implementation flaws resulting in serious security vulnerabilities” that could allow data leaks in browser research, privacy issues and password leaks.
The apps include LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore’s Password Manager, F-Secure KEY, Keepsafe, Keeper and Avast Passwords. Some have been installed by more than 50 million users.
LastPass and Dashlane were rated two of “the best password managers of 2017” by PCMag; but probably not from a security point of view, as three vulnerabilities were detected in LastPass, four in Dashlane and five in 1Password.
“The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks,” the researchers said. “Some applications stored the entered master password in plaintext or implemented hard-coded crypto keys in the program code.”
Another major concern is that password managers also often offer to store PIN codes and credit card numbers.
“We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using ‘hidden phishing’ attacks,” the researchers explained. “For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage.”
As of March 1, all vulnerabilities have been fixed.