Skip to content

Fraunhofer does Password Managers

In their article Password-Manager Apps, the Fraunhofer TeamSIK (Security Is Key) had a look at a number of password manager applications, and found a number of vulnerabilities.

For 1Password, which I am using, the following things were found in their Android App:

  • Subdomain Password Leakage: The password manager does not distinguish between subdomains of the same 2nd level domain. So for domain1.password.org and domain2.password.org the same passwords are offered (and filled in).

    This is not a problem in the way I am using 1Password on the Desktop (it’s not filling things in unasked, and it does not hit return), and even less so on Android.

  • https downgrade to http: In the internal browser the default scheme is set to http.

    This is not a problem the way I am using 1Password on the Desktop (I do not use 1Password to navigate), and even less so on Android.

  • Titles and URLs Not Encrypted in 1Password Database: In the database of the password manager, the titles and URLs of website entries are not encrypted. The article does not clarify if that affects Dropbox stored keychains, and if so which of the two formats.

    See also How to switch to the OPVault format from Agile Keychain, which addresses a similar, but different earlier problem on the Desktop versions of 1Password.

  • Read Private Data From App Folder in 1Password Manager: The built-in web browser allows files from the app’s private data directory to be extracted. This also allows access to the database file and the file containing the app’s shared preferences.

    Only a problem if you are using the internal browser (which I don’t).

  • Privacy Issue, Information leaked to Vendor: When the user creates a new entry containing credentials for a website, the respective target domain is leaked to the vendors’ web server.

    1Password downloads an Icon. That can be disabled (on the Desktop Version, at least).

All in all nothing earth shattering, and nothing in it that would have compromised passwords in the way I am using it.

Published inHackerterrorcybercyber

3 Comments

  1. kris kris

    LastPass:

    https://team-sik.org/sik-2016-022/
    Hardcoded Master Key in LastPass Password Manager

    That’s a WTF. The PIN-to-Password translation uses a store for the password, which is protected by a hardcoded password instead of using an Android secure element or similar.

    The other LastPass issues are a search data leakage to google (WTF, but minor), and a master password leakage (see above) through file URLs in the internal browser.

  2. kris kris

    1Password can unlock with a fingerprint instead of the vault password on some devices. The vault password needs to be stored somewhere in order to do that.

    Fraunhofer is not addressing this. Unclear if the LastPass attack would work or if 1Password is using Secure Element storage.

  3. Dirk

    Regarding Subdomain Password Leakage: I hope this does not mean, it offers the same password on every .co.uk domain, that would be bad. But I’m pretty sure 1Password was not that dumb.

Leave a Reply

Your email address will not be published. Required fields are marked *