After the Heartbleed vulnerability shook most of the Internet earlier this year, many users turned to password management services in order to reset their account credentials with affected sites. However, it seems that even these security-oriented services may not be safe to use. In a new paper, a group of researchers at UC Berkeley examined five common Web-based password managers, and they found vulnerabilities in each that could have led to compromised user data.
The services in question—LastPass, RoboForm, NeedMyPassword, My1Login, and PasswordBox—all fell to at least one of a variety of attacks, including vulnerabilities in bookmarklets, cross-site scripting, cross-site request forgery, phishing, and unauthorized access to shared logons. Each of the services was about as vulnerable as any other, so there's no real winner to be named here.
The researchers disclosed their findings to the services they studied, and most of the companies affected patched the vulnerabilities before the study was made public. NeedMyPassword never responded to the researchers' vulnerability disclosure, however, even as the paper went to publication (the study took place about a year ago.) If you're a user of that service, you may want to find a new password manager.
The researchers warn that their manual analysis of these vulnerabilities was far from exhaustive, so other critical bugs might still lurk in these services. Applications that run outside the browser, like 1Password, Password Safe, and KeePass may be more secure solutions, but even the most trustworthy software isn't 100% free of bugs. If you do choose to use a cloud-based service, be aware that the convenience of the cloud may also bring security risks.
|1. BIF - $340||2. Ryu Connor - $250||3. mbutrovich - $250|
|4. YetAnotherGeek2 - $200||5. End User - $150||6. Captain Ned - $100|
|7. Anonymous Gerbil - $100||8. Bill Door - $100||9. ericfulmer - $100|
|10. dkanter - $100|
|Lenovo ThinkCentre and ThinkPad machines pack AMD PRO APUs||16|
|Seagate 5TB BarraCuda and 2TB FireCuda drives are big and speedy||7|
|Nvidia licenses Rambus' DPA tech for side-channel data leak prevention||6|
|iOS 10.1 update includes portrait mode beta for iPhone 7 Plus||3|
|Biostar belatedly announces GTX 1060 graphics cards||12|
|HyperX Alloy keyboard gets lean and mean for FPS gaming||8|
|AMD drops prices on the Radeon RX 460 and RX 470||50|
|Reports: Radeon RX 470D is a budget Polaris card for China||9|
|Examining reports of slow write speeds on the 32GB iPhone 7||33|
|A real "console monitor" would be 720p @ 30 Hz ;P||+64|