Unmasking the hidden credential leaks in password managers and VPN clients

Abstract

With the rapid growth of software services and applications, the need to secure digital assets became paramount. The introduction of Password Manager (PM) and Virtual Private Network (VPN) software was established as a prerequisite toolkit to bolster the end-user arsenal. As a matter of fact, these types of artifacts have been around for at least 25 years in various flavors, including desktop and browser-based applications. This work assesses the ability of 12 desktop PM applications, 5 browsers with integrated PM, and 12 PMs in the form of browser plugins, along with 21 VPN client applications, to effectively protect the confidentiality of secret credentials. Our analysis focuses on the period during which an app is loaded into RAM. Despite the sensitive nature of these applications, our results show that across all scenarios the majority of PM applications store plaintext passwords in the system memory; more specifically, 75% (or 9 out of 12) of desktop PM applications, 100% (5 out of 5) of browser PMs and 75% (or 9 out of 12) of PM browser plugins leak such sensitive information. In addition, 33% (or 7 out of 21) of VPN applications leak user credentials. This practice of storing cleartext sensitive information in system memory is widely recognized as a weakness, having also been registered as CWE-316. At the time of writing, merely four vendors have recognized our exploits as vulnerabilities. Three of these vendors have assigned the relevant Common Vulnerabilities and Exposures (CVE) IDs, namely CVE-2023-23349, CVE-2024-9203, and CVE-2024-50570, whereas the fourth one will issue a CVE ID once it implements the relevant fixes. The remaining vendors have either chosen to disregard or downplay the severity of this issue.