PSA: New Zero-Day vulnerability found impacting most password managers. Crypto wallet browser extensions may be at risk as well.

Urgent Security Alert: New Zero-Day Vulnerability Threatens Password Managers and Crypto Wallet Extensions

In a significant development within cybersecurity, a newly disclosed zero-day vulnerability has been identified that affects a wide range of web browser-based password managers. This flaw presents a serious risk to the security of millions of users, potentially compromising sensitive data such as login credentials, payment information, and even one-time passwords (TOTP). Notably, certain cryptocurrency wallet browser extensions may also be vulnerable.

Understanding the Vulnerability

Security researcher [Name or pseudonym, if available] has detailed a novel attack technique capable of exploiting multiple password management tools across popular browsers. This technique involves a single click on a maliciously crafted website, which can trigger sophisticated code manipulations that extract stored data from the targeted extension.

According to the researcher, the attack is highly versatile and can be adapted to other extension types that manipulate the Document Object Model (DOM), including crypto wallets, note-taking tools, and more.

โ€œI described a new attack technique with multiple attack variants and tested it against 11 password managers. This resulted in discovering several 0-day vulnerabilities that could affect the stored data of tens of millions of users. A single click on an attacker-controlled website could allow data theft, including credit card details, personal information, login credentials, and TOTP codes. The technique is general and can be applied to other types of extensions.โ€ โ€” [Source: Security researcher article]

Which Password Managers Are Affected?

The researcher tested eleven popular password managers, revealing a mixed security landscape:

  • Patched / Vulnerability Fixed:
  • Bitwarden
  • Dashlane
  • Keeper
  • NordPass
  • ProtonPass

  • RoboForm

  • Still Vulnerable / Not Yet Fixed:

  • 1Password
  • iCloud Passwords
  • EnPass
  • LastPass
  • LogMeOnce

It is particularly concerning that industry leaders such as 1Password and LastPass have publicly stated they do not plan to address or fix this vulnerability. For more detailed insights, the original detailed discussion is available on the r/ProtonPass subreddit: Reddit Link.

Broader Implications

While the initial focus is on password managers, the underlying attack methodology is not limited

Hubsadmin

Leave a Reply

Your email address will not be published. Required fields are marked *