Researchers at the University of York have shown that some commercial password managers (depending on the version) may not be a watertight way to ensure cybersecurity.
After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password.
The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.
Robert Capps, Vice president at NuData Security, a Mastercard company, said: “Security research like this, that finds potential vulnerabilities, is critical to making businesses and consumers safer by allowing potential weaknesses to be addressed in a responsible way, before they can be exploited.
“It’s good to keep in mind that password managers are still the best way to manage passwords so that consumers always have a different, strong password for each account. As cybercriminals use phishing, hacking, and brute force attacks and other techniques to steal passwords, it is mandatory that consumers have a different password for every account, limiting their exposure to the ongoing wave of data breaches.
“Password managers help consumers keep track of their strong, unique passwords in a user-friendly way and help to prevent them from inadvertently disclosing their passwords to a fraud Phishing scheme. For those accounts that allow it, end users should activate two-factor authentication for further security. Luckily, companies are moving away from using only a username and password for authentication, opting to add more layers that include behavioural analytics and passive biometrics, so that vulnerabilities like this one thwart future fraud. If a user has the correct password but is behaving suspiciously, these technologies can be stopped it before any fraud happens.”
Click below to share this article
