Keep your memory dump shut: Unveiling data leaks in password managers

TL;DR

This study addresses whether password managers leak plaintext credentials while loaded in RAM. It conducts an empirical RAM-forensics evaluation of 24 PMs (12 desktop, 12 browser plugins) across six real-use scenarios, and introduces Pandora, an open-source red-teaming tool for credential extraction from process dumps. Findings show that a majority of tested desktop PMs (about 75%) and browser plugins (about 83%) expose plaintext credentials in memory, with results persisting across multiple copies and across several scenarios; only a minority remain leak-free. The work discusses vendor responses to disclosures, advocates adherence to OWASP security practices, and highlights the need for secure defaults, memory-minimization strategies, and future work extending to mobile platforms and broader application domains.

Abstract

Password management has long been a persistently challenging task. This led to the introduction of password management software, which has been around for at least 25 years in various forms, including desktop and browser-based applications. This work assesses the ability of two dozen password managers, 12 desktop applications, and 12 browser-plugins, to effectively protect the confidentiality of secret credentials in six representative scenarios. Our analysis focuses on the period during which a Password Manager (PM) resides in the RAM. Despite the sensitive nature of these applications, our results show that across all scenarios, only three desktop PM applications and two browser plugins do not store plaintext passwords in the system memory. Oddly enough, at the time of writing, only two vendors recognized the exploit as a vulnerability, reserving CVE-2023-23349, while the rest chose to disregard or underrate the issue.