Difference between revisions of "DBSA:2014-0012"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "{{DBSAHEAD | TITLE=Online Password Managers Insecure | KEYWORDS=LastPass, RoboForm, My1Login, PasswordBox, NeedMyPassword, Passwords, Vulnerability, Information Disclosure }} ...")
 
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{DBSAHEAD
 
{{DBSAHEAD
| TITLE=Online Password Managers Insecure
+
| TITLE=Online Password Managers Deemed Insecure
 
| KEYWORDS=LastPass, RoboForm, My1Login, PasswordBox, NeedMyPassword, Passwords, Vulnerability, Information Disclosure
 
| KEYWORDS=LastPass, RoboForm, My1Login, PasswordBox, NeedMyPassword, Passwords, Vulnerability, Information Disclosure
 
}}
 
}}
Line 6: Line 6:
 
'''DBSA ID:''' {{PAGENAME}}
 
'''DBSA ID:''' {{PAGENAME}}
  
'''Regarding:''' Online Password Managers Insecure
+
'''Regarding:''' Online Password Managers Deemed Insecure
  
 
'''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 00:24, 15 July 2014 (EDT)
 
'''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 00:24, 15 July 2014 (EDT)
Line 33: Line 33:
 
Multiple password management solutions have been evaluated and revealed to contain web-based exploits that may result in passwords for third party services being revealed. Among these services evaluated are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. These services however are not the only online unified credential management services that could contain these issues.
 
Multiple password management solutions have been evaluated and revealed to contain web-based exploits that may result in passwords for third party services being revealed. Among these services evaluated are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. These services however are not the only online unified credential management services that could contain these issues.
  
The issue at hand specifically is that an attacker may utilize weaknesses in the services' software or the like to leverage access into passwords that the services host, including email passwords, online shopping and banking passwords, workplace credentials for remote access, identities, among other services that users value.
+
The issue at hand specifically is that an attacker may utilize weaknesses in the services' software or the like to leverage access into passwords for services, including email passwords, online shopping and banking passwords, workplace credentials for remote access, identities, among other services that users value.
  
 
==Mitigation/Solution==
 
==Mitigation/Solution==
Users of these online password manager services are advised to remove all information from the services and discontinue use of these services if at all possible and to treat similar services as potential risks. Passwords should be memorized to maximize security but in the absence of such memorization it is advised to use local password managers that do not use an online account of any kind.
+
Users of these online password manager services are advised to remove all information from the services and discontinue use of these services if at all possible and to treat similar services as potential risks. Passwords should be memorized to maximize security but in the absence of such memorization it is advised to use local password managers that do not use an online account or storage of any kind. The preferred secure method to manage a password database is to maintain a text file that is encrypted and when the database is in use and is unencrypted to ensure there is not a third party observing the database.
  
Password entry of such tools should not be automatic and should require manual use to enter passwords to avoid attempts by attackers to trick automatic entry for phishing purposes.
+
Password entry should not be automatic and should require manual use to enter passwords to avoid attempts by attackers to trick automatic entry for phishing purposes.
  
 
==References==
 
==References==

Latest revision as of 00:37, 15 July 2014

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Online Password Managers Deemed Insecure

Keywords: LastPass, RoboForm, My1Login, PasswordBox, NeedMyPassword, Passwords, Vulnerability, Information Disclosure

DBSA ID: 2014-0012

Regarding: Online Password Managers Deemed Insecure

Writeup: Kradorex Xeron (talk) 00:24, 15 July 2014 (EDT)

Date: 2014 07 15

Last Modified: 20140715003750 by Kradorex Xeron

Who should take note: Everyone

Classification

Priority: HIGH

Rationale: Immediate action is necessary to keep information secured against third party threats.

Severity: HIGH

Rationale: Vulnerabilities can disclose passwords for other services, to which there often is no solid mitigations a user can perform.

Spread of Issue: MULTI-PLATFORM MODERATE

Rationale: Services provide browser extensions on multiple platforms, there are substantial number of users of these services.

Description

Multiple password management solutions have been evaluated and revealed to contain web-based exploits that may result in passwords for third party services being revealed. Among these services evaluated are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. These services however are not the only online unified credential management services that could contain these issues.

The issue at hand specifically is that an attacker may utilize weaknesses in the services' software or the like to leverage access into passwords for services, including email passwords, online shopping and banking passwords, workplace credentials for remote access, identities, among other services that users value.

Mitigation/Solution

Users of these online password manager services are advised to remove all information from the services and discontinue use of these services if at all possible and to treat similar services as potential risks. Passwords should be memorized to maximize security but in the absence of such memorization it is advised to use local password managers that do not use an online account or storage of any kind. The preferred secure method to manage a password database is to maintain a text file that is encrypted and when the database is in use and is unencrypted to ensure there is not a third party observing the database.

Password entry should not be automatic and should require manual use to enter passwords to avoid attempts by attackers to trick automatic entry for phishing purposes.

References