Experts from the University of York (England) in the course of their research have proved that not all password managers are reliable means of ensuring cybersecurity. Using a specially crafted malicious application, scientists were able to trick one of the first lines of defense against malware and credential theft and steal passwords.
Experts managed to trick two out of five tested password managers. The programs used weak criteria both for identifying legitimate applications and for entering username and password for auto-complete. The vulnerability allowed researchers to impersonate a legitimate application by simply creating a “rogue program” of the same name.
As noted by experts, some password managers were also vulnerable to brute-force attacks, since they did not set a limit on the number of attempts to authorize a user in an account. Thus, criminals can gain access to the victim's account within two and a half hours if it is protected by a four-digit PIN.
“Our research shows that a phishing attack from a malicious application is feasible. If the victim is tricked into installing a malicious application, it will be able to present itself as a legitimate program when asked for autofill, ”the experts explained.
Despite these research findings, experts still recommend using trusted password managers for cybersecurity as they remain the safer and more convenient option.
