News

Password managers vulnerable to insider hacking

Communication channels between different parts and pieces of computer software are prone to security breaches. Anyone with access to a shared computer can attack or involuntarily subject it to security breaches.

Researchers from Aalto University and the University of Helsinki have found over ten computer security-critical applications that are vulnerable to insider attacks. Most of the vulnerabilities were found in password managers used by millions of people to store their login credentials. Several other applications were found to be similarly susceptible to attacks and breaches across the Windows, macOS and Linux operating systems.

Computer software often starts multiple processes to perform different tasks. For example, a password manager typically has two parts: a password vault and an extension to an internet browser, which both run as separate processes on the same computer.

To exchange data, these processes use a mechanism called inter-process communication (IPC), which remains within the confines of the computer and does not send information to an outside network. For this reason, IPC has traditionally been considered secure. However, the software needs to protect its internal communication from other processes running on the same computer. Otherwise, malicious processes started by other users could access the data in the IPC communication channel.

‘Many security-critical applications, including several password managers, do not properly protect the IPC channel. This means that other users’ processes running on a shared computer may access the communication channel and potentially steal users’ credentials,’ explains Thanh Bui, a doctoral candidate at Aalto University.

While PCs are often thought to be personal, it is not uncommon that several people have access to the same machine. Large companies typically have a centralized identity and access management system that allows employees to log into any company computer. In these scenarios, it is possible for anyone in the company to launch attacks. An attacker can also log in to the computer as a guest or connect remotely, if these features are enabled.

‘The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication. Developers may not understand the security properties of different IPC methods, or they place too much trust in software and applications that run locally. Both explanations are worrisome,’ says Markku Antikainen, a post-doctoral researcher at the University of Helsinki.

Following responsible disclosure, the researchers have reported the detected vulnerabilities to the respective vendors, which have taken steps to prevent the attacks. The research was done partly in co-operation with F-Secure, a Finnish cyber-security company.

The research will be presented at the DEFCON security conference on August 12, 2018, and at the Usenix Security conference on August 17, 2018.

The publication is available directly from the authors and will be online after the Usenix conference at https://www.usenix.org/conference/usenixsecurity18/presentation/bui.

More information

Thanh Bui, Doctoral Candidate
Aalto University
tel. +358 50 4658007
[email protected]

Markku Antikainen, Postdoctoral Researcher
University of Helsinki
tel. +358 50 3396900
[email protected]

  • Published:
  • Updated:
Share
URL copied!

Read more news

Päivi Törmä ja Sebastiaan van Dijken
Press releases, Research & Art Published:

Guiding spin waves with light could lead to faster and much more energy efficient computing

Major new research project at Aalto University aims to develop new type of computing device that eliminates massive amounts of waste heat produced by current devices
The picture shows the School of Business in winter time and during sunset. The photo was taken by Mikko Raskinen from Aalto University.
Research & Art Published:

Climate change is serious business

According to Senior University Lecturer Leena Lankoski, there are both compelling sustainability reasons and compelling business reasons for companies to urgently address their environmental impact.
City silhouette illustration with data symbols.
Research & Art Published:

Register for Research Data Management and Open Science Training in Spring 2022!

Aalto Research Data Management Network organises training in research data management and open science in spring 2022.
Purppuranvärisellä taustalla vaaleanrusehtavia pellavaisia kuituja, kuva Julie-Anne Gandierin materiaalitutkimuksesta, kuva Valeria Azovskaya
Research & Art Published:

Three flagships receive continued funding

Materials Bioeconomy FinnCERES, Finnish Center for Artificial Intelligence FCAI and the platform for photonics research PREIN have received the Academy of Finland’s funding for second flagship term