Researchers in Finland detect vulnerability in password management software

Researchers identified a security gap in more than 10 applications used by millions around the world, including an app used by Finland's population registry.

Image: AOP

Finnish computer security researchers have detected vulnerabilities in software used for password management and many other data security purposes.

Researchers from Aalto University and the University of Helsinki said that hackers could potentially exploit the security vulnerability on shared workstations.

The group identified the security gap in DigiSign card reader software used by Finland's Population Register Centre to provide access to individuals or health care professionals via electronic ID cards.

The team explained that such password management systems often comprise two parts: a password register and a browser extension. The exchange of information between the two segments is called inter-process communication or IPC.

However the IPC channel is rarely secured, so malware could potentially give bad actors opportunities to access password information by exploiting the gap. The researchers noted that anyone with access to shared computers could attack software using the IPC communication opening.

No indication back door has been exploited

For example the centralised user management system used by many organisations makes it easy for any employee to log in to any workstation. In principle, employees working in such environments would have the opportunity to abuse the system, they explained.

It means that a miscreant could also log into someone else's account or take control of a computer if it has enabled remote access. So far, however, no one has exploited the vulnerability.

The researchers noted that anyone gaining access to a doctor's workstation via such a back door would be able to exploit the vulnerability to forge prescriptions, for example. They identified a similar security gap in more than 10 different applications used by millions worldwide.