- Posts
- 10,811
- Posts Power
- 10,811.0%
- Liked
- 890
- Joined
- Jan 2, 1996
- Website
- inviteshop.us
The Proton Pass password manager follows the bad practice of keeping unencrypted usernames and passwords in the computer’s memory.
To make matters worse, this sensitive data is not wiped from the memory when the vault is locked post-login, making it susceptible to exfiltration by info-stealer malware or attackers with physical access to the target machine.
The security issue was first identified by German penetration tester Mike Kuketz. He highlighted the concern on Reddit, prompting a response from a Proton AG employee, the developers behind the software, who assured a fix in the upcoming update.
Despite multiple updates to Proton Pass since then, the security vulnerability persisted. Kuketz later received feedback from another company representative, explaining that this was standard behavior across many open-source password managers, including the competing product from Bitwarden.
The researcher gives the following steps to reproduce the issues on the latest version (1.6.1) of the Proton Pass add-on for Chrome and Firefox browsers:
Caught, fixed, and crept back in
Kuketz notes that Cure53 caught that security problem in a recent audit on Proton Pass, marking it as “reported and fixed” by the time the audit report was published in July 2023.
This confused the analyst, who assumed that Cure53 was given a newer version to test that wasn’t made publicly available. However, this hypothesis made less sense after months had passed with no fix in sight.
The answer came from Proton AG themselves, who responded to Restore Privacy’s request for a comment on the situation, explaining that the issue was fixed in the summer and then reintroduced in a subsequent release. The spokesperson for the firm also told us that a fixed update should be on its way to reach users of Proton Pass before the end of the day.
While the attack requires specific conditions and doesn’t pose an immediate threat to users following good security practices, the potential for malware to exploit this flaw and steal entire password vaults isn’t as improbable as the vendor suggests. Therefore, Proton Pass users should remain vigilant and regularly check for updates to the password manager.
To make matters worse, this sensitive data is not wiped from the memory when the vault is locked post-login, making it susceptible to exfiltration by info-stealer malware or attackers with physical access to the target machine.
The security issue was first identified by German penetration tester Mike Kuketz. He highlighted the concern on Reddit, prompting a response from a Proton AG employee, the developers behind the software, who assured a fix in the upcoming update.
Despite multiple updates to Proton Pass since then, the security vulnerability persisted. Kuketz later received feedback from another company representative, explaining that this was standard behavior across many open-source password managers, including the competing product from Bitwarden.
The researcher gives the following steps to reproduce the issues on the latest version (1.6.1) of the Proton Pass add-on for Chrome and Firefox browsers:
- Install the add-on in the browser and log in.
- Open Windows Task Manager and expand browser processes.
- Right-click each process, creating an image file.
- Open the image with a hex editor.
- Use Ctrl + F to find usernames or passwords.
Caught, fixed, and crept back in
Kuketz notes that Cure53 caught that security problem in a recent audit on Proton Pass, marking it as “reported and fixed” by the time the audit report was published in July 2023.
This confused the analyst, who assumed that Cure53 was given a newer version to test that wasn’t made publicly available. However, this hypothesis made less sense after months had passed with no fix in sight.
The answer came from Proton AG themselves, who responded to Restore Privacy’s request for a comment on the situation, explaining that the issue was fixed in the summer and then reintroduced in a subsequent release. The spokesperson for the firm also told us that a fixed update should be on its way to reach users of Proton Pass before the end of the day.
While the attack requires specific conditions and doesn’t pose an immediate threat to users following good security practices, the potential for malware to exploit this flaw and steal entire password vaults isn’t as improbable as the vendor suggests. Therefore, Proton Pass users should remain vigilant and regularly check for updates to the password manager.