Security researchers have warned that popular password managers are vulnerable to insider attacks due to weaknesses in inter-process communication (IPC).
Researchers at Aalto University and the University of Helsinki added that several other applications are also vulnerable to the same vulnerability, which affects password managers and other software across Windows, MacOS and Linux operating systems.
Computer software often starts multiple processes to perform different tasks. For example, a password manager typically has two parts: a password vault and an extension to an internet browser, which both run as separate processes on the same computer.
Many security-critical applications, including several password managers, do not properly protect the IPC channel
To exchange data, these processes use the IPC mechanism, which remains within the confines of the computer and does not send information to an outside network.
"Many security-critical applications, including several password managers, do not properly protect the IPC channel. This means that other users' processes running on a shared computer may access the communication channel and potentially steal users' credentials," warned Thanh Bui, a doctoral candidate at Aalto University involved in the research.
Biu said this is happening because it's not uncommon that several people in an organisation have access to the same machine. For example, large organisations typically have a centralised identity and access management system that enables employees to log-in to any company computer.
The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication
In these scenarios, he said, it is possible for anyone in the company to launch attacks and an attacker can also log in to the computer as a guest or connect remotely, if these features are enabled.
"The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication," added Markku Antikainen, post-doctoral researcher at the University of Helsinki.
"Developers may not understand the security properties of different IPC methods, or they place too much trust in software and applications that run locally. Both explanations are worrisome."
Following responsible disclosure, the researchers have reported the detected vulnerabilities to the respective vendors, which have taken steps to prevent the attacks. It has not been disclosed who these companies are.
The researchers presented their findings at the 27th USENIX Security Symposium in Baltimore, Maryland this week, and have also published a research paper entitled Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer.
US space agency believes the crater could have preserved ancient organic molecules from the water that flowed there billions of years ago
Valve quietly closes down hardware initiatives launched following Windows 8
Scientists create a virtual reality simulation of a black hole sitting at the centre of the Milky Way
Simulations like this can help people understand complicated systems in the universe in a better way
The most luminous galaxy ever discovered is cannibalising at least three of its smaller neighbours, study finds
The galaxy radiates at 350 trillion times the luminosity of the Sun