An official website of the European Union How do you know?      
European Commission logo
JRC Publications Repository Menu

Unmasking the hidden credential leaks in password managers and VPN clients

cover
With the rapid growth of software services and applications, the need to secure digital assets became paramount. The introduction of Password Manager (PM) and Virtual Private Network (VPN) software was established as a pre-requisite toolkit to bolster the end-user arsenal. As a matter of fact, these types of artifacts have been around for at least 25 years in various flavors, including desktop and browser-based applications. This work assesses the ability of 12 desktop PM applications, 5 browsers with integrated PM, and 12 PMs in the form of browser plugins, along with 21 VPN client applications, to effectively protect the confidentiality of secret credentials. Our analysis focuses on the period during which an app is loaded into RAM. Despite the sensitive nature of these applications, our results show that across all scenarios the majority of PM applications store plaintext passwords in the system memory; more specifically, 75% (or 9 out of 12) of desktop PM applications, 100% (5 out of 5) of browser PMs and 75% (or 9 out of 12) of PM browser plugins leak such sensitive information. In addition, 33% (or 7 out of 21) of VPN applications leak user credentials. This practice of storing cleartext sensitive information in system memory is widely recognized as a weakness, having also been registered as CWE-316. At the time of writing, merely three vendors have recognized our exploits as vulnerabilities; two of them have already assigned CVE-2023-23349 and CVE-2024-9203, whereas the third one will issue a CVE ID once it implements the relevant fixes. The remaining vendors have either chosen to disregard or downplay the severity of this issue.
2025-07-11
ELSEVIER ADVANCED TECHNOLOGY
JRC139928
1872-6208 (online),   
https://www.sciencedirect.com/science/article/pii/S0167404824006047,    https://publications.jrc.ec.europa.eu/repository/handle/JRC139928,   
10.1016/j.cose.2024.104298 (online),   
NameCountryCityType
Datasets
IDTitlePublic URL
Dataset collections
IDAcronymTitlePublic URL
Scripts / source codes
DescriptionPublic URL
Additional supporting files
File nameDescriptionFile type 
Show metadata record  Copy citation url to clipboard  Download BibTeX
Items published in the JRC Publications Repository are protected by copyright, with all rights reserved, unless otherwise indicated. Additional information: https://ec.europa.eu/info/legal-notice_en#copyright-notice