Password managers vulnerable to insider hacking, study shows

Many of the vulnerabilities were found in password managers used by millions to store login credentials

New research indicates that communication channels between different pieces of computer software are prone to security breaches. Researchers from Aalto University and the University of Helsinki uncovered over ten security-critical applications susceptible to insider attacks.

In addition, several other applications were particularly vulnerable to security breaches. According to the study, Windows, macOS and Linux were amongst the operating systems open to cyber breaches.

In order to exchange data, computer processes use a mechanism called inter-process communication (IPC). IPC is traditionally perceived as secure as it remains within the confines of the computer.

It is therefore integral that the software has the ability to protect its internal communication from other processes running on the same computer. Malicious processes started by other users can potentially infiltrate the IPC communication channel if it lacks sufficient insider security.

“Many security-critical applications, including several password managers, do not properly protect the IPC channel,” Thanh Bui, a doctoral candidate at Aalto University said. “This means that other users’ processes running on a shared computer may access the communication channel and potentially steal users’ credentials,” Bui added.

It is not uncommon for several people to have access to the same computer. In these cases, it is possible for an attacker to enter the computer as a guest or connect remotely.

Furthermore, large businesses usually have an access management system that allows employees to use any company computer. In this professional environment, it is possible for anyone in the company to initiate an attack on sensitive data.  

This indicates that software developers frequently fail to address security issues related to insider communication. “The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication,” Markku Antikainen, a post-doctoral researcher at University of Helsinki, insisted.

“Developers may not understand the security properties of different IPC methods, or they place too much trust in software and applications that run locally.” Antikainen concluded that “both explanations are worrisome.” 

Last month, Gartner found that just over half of organisations currently employ a cybersecurity expert. While 95% of CIOs said that they expected cybersecurity threats to increase over the next three years, only 65% actually possessed an expert in this field.

Moreover, surveys from Centrify and OpenVPN indicate that employees in the UK and US are compromising cybersecurity. The reports concluded that employees are a company’s greatest asset, but also a company’s greatest security risk.

Interested in strengthening your cybersecurity? Listen to our podcast with the first female White House CIO Theresa Payton and Head of Information Security & Data Protection Matrix Medical Network Rebecca Wynn.