Investigadores descobriram que alguns dos populares gestores de palavras-passe parecem fazer um fraco trabalho na limpeza das passwords da memória do SO depois de serem utilizadas.
Uma análise realizada pelo Independent Security Evaluators (ISE) revelou o problema em diferentes graus nas versões do 1Password, Dashlane, LastPass e KeePass.
A boa notícia é que todos os softwares mantém as passwords num cofre totalmente seguro, I.e., o chaveiro de palavras-passe é cifrado e as palavras-passe são armazenadas num modelo de security-by-design.
No entanto, as coisas pioraram um pouco quando o ISE notou como os softwares protegem as palavras-passe no momento em que o utilizador copia a palavra-passe do software e a insere no sistema onde se deseja autenticar. A forma como a palavra-chave mestra é tratada também foi observado.
However, things went downhill a bit when ISE looked at how these products secure passwords in both the locked state (running prior to entering the master password or running after logging out), and the fully unlocked state (after entering the master password).
1Password4 for Windows (v188.8.131.526)
This legacy version keeps an obfuscated version of the master password in memory which isn’t scrubbed when returning to a locked state. Under certain conditions, a vulnerable cleartext version is left in memory.
1Password7 for Windows (v7.2.576)
Despite being the current version, the researchers rated it as less secure than 1Password4 because it decrypts and caches all database passwords rather one at a time. 1Password7 also fails to scrub passwords from memory, including the master password, when moving to a locked state. This compromises the effectiveness of the lock button, requiring the user to completely exit the program.
Dashlane for Windows (v6.1843.0)
Exposes only one password at a time in memory until a user updates an entry at which point the entire database is exposed in plaintext. This remains true even when the user locks the database.
KeePass Password Safe (v2.40)
Database entries are not scrubbed from memory after each is used although the master password was, thankfully, not recoverable.
LastPass for Applications (v4.1.59)
Database entries remain in memory even when the application is locked. Furthermore, when deriving the decryption key, the master password is “leaked into a string buffer” where it is not wiped, even when the application is locked (note: this version is used to manage application passwords and is distinct from the web plugin).
Clearly, if passwords – especially master passwords – are hanging around in memory when the application is locked, this raises the possibility that malware could steal this data after infecting a computer.
The counter-argument is that if malware infects your computer, pretty much everything on that system is at risk whether it’s obfuscated in memory or not. No security application can possibly guarantee to defend against this sort of threat.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.