Web browser security flaws exploited via malware to steal passwords

Passwords saved on web browsers aren't as secure as they should be, warn security specialists

Security flaws in the way in which popular web browsers store saved passwords, targeted by malware, may be behind a string of credential leaks, security specialists have warned.

That is the view of specialists at security software company Rapid7, following an analysis of recent password leaks.

Responding to the latest leaks, security research manager Tod Beardsley said: "While the credentials themselves appear to be real, the details provided by LeakedSource indicate that the usernames and passwords are sourced from end users rather than from Twitter itself. Specifically, it appears that the credentials were harvested from individual browsers' password stores."

He continued: "It's just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls."

An early analysis, he told Computing, points to a specialised form of malware exploiting this browser security weakness.

"It's not clear from the analysis posted so far what the vector was, but it's certainly some flavour of malware - a malicious application targeting browser-based password storage. Browser password storage tends to be in a very findable and predictable path, so either the malware accessed the store directly, or simply scraped passwords from the login screens by navigating to Twitter's login page," suggested Beardsley.

He continued: "Browser password storage favours ease of use over anything, and doesn't prompt the user for an unlock password after the first use, if at all. Firefox does prompt a user per session, while Chrome's password autofill is completely automated once signed into Google.

"Malware installed on a computer has at least the same rights as the affected user, so no password manager is truly bulletproof against a purpose-built password stealer, but an external password manager will typically require authentication for every use, and two-factor authentication does go a long way toward mitigation in the event of a password compromise."