Security researchers have warned that popular password managers are vulnerable to insider attacks due to weaknesses in inter-process communication (IPC).
Researchers at Aalto University and the University of Helsinki added that several other applications are also vulnerable to the same vulnerability, which affects password managers and other software across Windows, MacOS and Linux operating systems.
Computer software often starts multiple processes to perform different tasks. For example, a password manager typically has two parts: a password vault and an extension to an internet browser, which both run as separate processes on the same computer.
Many security-critical applications, including several password managers, do not properly protect the IPC channel
To exchange data, these processes use the IPC mechanism, which remains within the confines of the computer and does not send information to an outside network.
"Many security-critical applications, including several password managers, do not properly protect the IPC channel. This means that other users' processes running on a shared computer may access the communication channel and potentially steal users' credentials," warned Thanh Bui, a doctoral candidate at Aalto University involved in the research.
Biu said this is happening because it's not uncommon that several people in an organisation have access to the same machine. For example, large organisations typically have a centralised identity and access management system that enables employees to log-in to any company computer.
The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication
In these scenarios, he said, it is possible for anyone in the company to launch attacks and an attacker can also log in to the computer as a guest or connect remotely, if these features are enabled.
"The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication," added Markku Antikainen, post-doctoral researcher at the University of Helsinki.
"Developers may not understand the security properties of different IPC methods, or they place too much trust in software and applications that run locally. Both explanations are worrisome."
Following responsible disclosure, the researchers have reported the detected vulnerabilities to the respective vendors, which have taken steps to prevent the attacks. It has not been disclosed who these companies are.
The researchers presented their findings at the 27th USENIX Security Symposium in Baltimore, Maryland this week, and have also published a research paper entitled Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer.
Double legal trouble for Musk as he also faces civil lawsuit over renewed British pot-holer 'paedo' claims
Battery development could help boost performance of smartphones
Topological photonic chips promise a more robust option for scalable quantum computers
In quantum physics both the chicken and the egg can come first, claim University of Queensland researchers
Cause-and-effect is not always straightforward in quantum physics