Critical Flaw in Passwordstate

An unauthenticated remote attacker could exploit multiple high-severity vulnerabilities detected in Passwordstate, an online password management solution, to obtain plaintext passwords for users of the service.

A Swiss cybersecurity company named Modzero reported to the developer in August that there were security issues with version 9.6 build 9653 which was patched in early November.

As of today, Passwordstate’s number of users exceeds 370,000, and it is used by over 29,000 IT professionals from all over the world, according to Click Studios, an Australian company.

As a result of the flaw, Passwordstate version 9.5.8.4 for Chrome is also affected by the problem. On September 7, 2022, the latest version of the browser add-on was released, version 9.6.1.2.

Vulnerabilities Identified

In accordance with the findings of modzero AG, the following vulnerabilities have been identified:-

  • CVE ID: CVE-2022-3875
  • Description: An authentication bypass for Passwordstate’s API
  • CVSS Score: 7.3
  • Severity: High
  • CVE ID: CVE-2022-3876
  • Description: A bypass of access controls through user-controlled keys
  • CVSS Score: 4.3
  • Severity: Medium
  • CVE ID: CVE-2022-3877
  • Description: A stored cross-site scripting (XSS) vulnerability in the URL field of every password entry
  • CVSS Score: 3.5
  • Severity: Low

Unauthenticated attackers who successfully exploit these vulnerabilities are able to perform the following illicit tasks:- 

  • Obtain passwords from a running instance by exfiltrating them
  • Replace all passwords that are currently stored within the database with a newly generated one
  • Increase their privileges within the application by elevating their roles

There are a number of vulnerabilities in the Passwordstate host system that can be exploited separately in order to gain a shell on the host system and dump all passwords stored on it.

Attackers could forge API tokens for administrator accounts as demonstrated in an attack chain demonstrated by modzero AG. The attacker can then obtain a reverse shell by exploiting the XSS flaw and submitting a malicious password entry.

Recommendation

To mitigate potential threats, cybersecurity analysts have strongly recommended that users immediately update their Passwordstate version to 9.6 – Build 9653 or the later one.

Since a company’s security infrastructure is constructed on the foundation of a strong password management solution, which is the keystone to the safety of passwords.

During the implementation, maintenance, and architecture phases, their security must be treated as a holistic ambition. In light of this, it comes as no surprise that Passwordstate will be a tempting target for cybercriminals in both the present and future.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.