Dashlane said it does not consider a year-old bug report to be a vulnerability, and has twice rebuffed the researcher who privately disclosed it through the password manager’s bug bounty program.
Researcher Paulos Yibelo said today that he has repeatedly asked the company to address the flaw, which he said affects every version of the product. He said he also suggested two mitigations that were not implemented.
“I reported this to the vendor and they said they will not fix this vulnerability because of it being a design issue,” Yibelo said. “So this will stay a 0day forever. Any attacker can escalate privileges on any Windows system that runs Dashlane.”
Dashlane confirmed Yibelo’s bug report and that it deemed the issue was not a threat.
“The ability to write/overwrite this dll in the Dashlane directory does not compromise the security of Dashlane or our users’ data and, although we could prevent the action, it is not necessary and wastes development and security research time,” a Dashlane representative told Threatpost.
Dashlane said Yibelo recently tried to re-open the ticket and request a bounty.
The vulnerability was privately disclosed July 24, 2016 through Dashlane’s HackerOne bug bounty program. Yibelo discovered that an attacker with least privileges, either as a standard user or by compromising an existing account, is able to elevate to admin.
“The risk is privilege escalation and the ability to execute code on the system,” Yibelo said.
Yibelo said that during an analysis of Dashlane, he learned that the password manager loads “lots of DLLs” from the %appdata% folder in Windows, and could be susceptible to a DLL hijacking attack. DLL hijacking attacks allow an attacker to inject a malicious library into an application by replacing the legitimate one.
“Since writing in %appdata% doesn’t require any privileges, one can basically just force-feed Dashlane DLLs,” Yibelo said, adding that this simplifies privilege escalation.
“This causes privilege escalation on any Windows system with Dashlane on it when a standard user plants a malicious DLL,” he said.
Yibelo said that he recommended two mitigations to Dashlane, which informed him July 29, 2016 that it would not patch the vulnerability. The mitigations he suggested included either moving sensitive files to the Program Files folder, or the implementation of integrity checking, which would allow only DLL files with specific hashes, he said.
“But Dashlane still refuses to fix this issue,” Yibelo said “Recently, we had another talk and concluded this isn’t going to be fixed.”
Password managers have not been immune to their share of security issues with a number of different products suffering from vulnerabilities that put personal data and access to sensitive applications at risk. Still, during the height of last summer’s barrage of password leaks, experts were quick to recommend password managers as a solid practice to keep credentials safe.
The impact of the leaks was exponentially greater because of password reuse, or the practice of consumers and business users alike using the same credentials for access to more than one sensitive system. Attackers compromising one set of credentials were having success re-using the stolen passwords elsewhere.
Password managers are seen as part of the solution given their ability to securely store, or generate complex passwords for a number of web-based services, leaving the user only having to remember one complex password to access the manager application.