Password managers are not invulnerable. But don’t tell anyone

password_manager_vulernable

Password managers are great. But they are not infallible.

It turns out, doing the right thing is not always the best idea.

What we mean to say is that the author of a recently-published research found out first hand that just because someone manages to examine various flaws in the market’s premier password managers does not mean that the platform on which that someone works will not kick that someone off it.

The platform in question is Bugcrowd.

Bugcrowd, as some of you might already know is the most popular platform for people to report vulnerabilities in various pieces of software.

The latest incidence happened after a company which the author named in his research actually made the effort to report the author to the platform.

Apparently, the company felt the author actually violated the terms of service contract of Bugcrowd.

More specifically, Bugcrowd had no problems in shutting down the account of Adrian Bednarek.

As mentioned just now, apparently he deliberately violated Bugcrowd’s rules on issues such as unauthorized disclosure.

Aidan did that by telling a specific reporter about a security vulnerability which existed in LastPass.

LastPass, as most of us already know is the most used password management service on the internet at the moment.

As it turns out, the security vulnerability is actually an old bug which some other researcher had previously pointed out as well in a report.

However, the password managers in question still had not fixed the security vulnerability.

Adrian Bednarek also disclosed disclosure timeline with a publication by the name of CyberScoop.

According to that, Bednarek quickly found out that Bugcrowd had banned him on Feb 12.

That was a full day after Bednarek mentioned that he spoke with a reporter from the The Washington Post to help out in another report which his own company by the name of ISE, or Independent Security Evaluators, ultimately managed to publish back on Tuesday.

According to authentic sources, Bednarek had actually reported the found security vulnerability to the platform Bugcrowd some time on January 19.

However, once he did that he got the message that his found bug report was actually a duplicate.

In a response to that, Bednarek replied back by saying that no one had fixed the bug yet.

While talking to CyberScoop, Bednarek said that he actually wanted Bugcrowd to reinstate him.

He also said that he wanted to help the platform improve its terms of service document.

shutterstock_1248926485

Furthermore, he said that he was going to reach out to the Bugcrowd platform and would clarify the situation with them and hopefully everything would work out fine in the end.

Bednarek hopes that his work would help Bugcrowd make their disclosure rules and policies more clear.

With that said it is also true that LastPass went straight to work despite the fact that there was a kerfuffle going on in the background.

The password management service released a quick patch for the found security bug.

LastPass had previously mentioned that the found bug only affected the legacy security application which only accounted for less than a total of 0.2 percent of all of the company’s service usage.

Hypothetically speaking, if the hacker found a way to exploit the security vulnerability based on the Windows platform, that could allow the hacker to recover the user’s LastPass master password just by looking in the machine’s memory.

Furthermore, Bednarek actually conceded that he did violate the terms of service of Bugcrowd.

However, then he complained that he did so because Bugcrowd had an overly broad term of service.

He believed that the platform could use the broad terms of service document in order to ban researchers unfairly.

He told CyberScoop that if such issues did get past the firewall that had become various third-party security vulnerability and bug reporting platforms then they could quickly reach the companies as well.

That, in turn, might force the companies to take such issues more seriously.

Furthermore, he said he thought some information actually got lost in this whole process of reporting it to various third-party bug-reporting platforms.

As far as Bednarek, the entire episode pointed towards a much broader issue that affected the whole industry.

He said that despite some progress, the process via which security researchers had to report software vulnerabilities to various organizations was still, generally speaking, pretty much a gamble.

He also said that sometimes the process of reporting security bugs went smoothly, while other times the security researcher could face a lot of friction.

On the other hand, one of the representatives from LastPass mentioned to the media that the company was completely supportive of responsible and sincere disclosure of various security vulnerability reports.

LastPass also mentioned that the company had worked extensively with dozens of different security researchers via the Bugcrowd for several years.

Bugcrowd emerged as a vulnerability reporting platform in 2012.

Back then companies widely used the platform for clearinghouse and to learn more about their software applications.

The platform also allowed them to fix various network security vulnerabilities.

The company is based in San Francisco and boasts several big corporate clients such as the likes of Mastercard and Hewlett Packard.

Bednarek’s comments did meet some responses as well.

David Baker, the Chief Security Officer at Bugcrowd told CyberScoop that the company always felt happy to discuss suggestions and feedback with the security researcher.

He also said that the company was also willing to discuss reinstatement of the security researcher.

Apart from that, the research which came out on Tuesday also covered security vulnerabilities in a total of four other services that worked in credential-storing businesses.

Despite that, security researchers such as Bednarek and others still recommend people to make use of password managers as they represented the best means of keeping away from replicating passwords which can easily fall prey to astute and competent hackers in the wild.

 

Zohair

Zohair

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Zohair

COMMENTS

WORDPRESS: 0