Keep your memory dump shut: Unveiling data leaks in password managers

CHATZOGLOU, Efstratios; KAMPOURAKIS, Vyron; TSIATSIKAS, Zisis; KAROPOULOS, Georgios; KAMBOURAKIS, Georgios

doi:10.1007/978-3-031-65175-5_5

Password management has long been a persistently challenging task. This led to the introduction of password management software, which has been around for at least 25 years in various forms, including desktop and browser-based applications. This work assesses the ability of two dozen password managers, 12 desktop applications, and 12 browser plugins, to effectively protect the confidentiality of secret credentials in six representative scenarios. Our analysis focuses on the period during which a Password Manager (PM) resides in the RAM. Despite the sensitive nature of these applications, our results show that across all scenarios, only three desktop PM applications and two browser plugins do not store plaintext passwords in the system memory. Oddly enough, at the time of writing, only two vendors recognized the exploit as a vulnerability, reserving CVE-2023-23349, while the rest chose to disregard or underrate the issue.

CHATZOGLOU Efstratios; KAMPOURAKIS Vyron; TSIATSIKAS Zisis; KAROPOULOS Georgios; KAMBOURAKIS Georgios;

2024-08-07

SPRINGER VERLAG

JRC136726

1868-4238 (online),

https://doi.org/10.1007/978-3-031-65175-5_5, https://publications.jrc.ec.europa.eu/repository/handle/JRC136726,

10.1007/978-3-031-65175-5_5 (online),

Language	Citation

Name	Country	City	Type

Datasets

ID	Title	Public URL

Dataset collections

ID	Acronym	Title	Public URL

Scripts / source codes

Description	Public URL

Additional supporting files

File name	Description	File type

Show metadata record Copy citation url to clipboard Download BibTeX