Hackers have managed to add malware to an update package of the password manager Passwordstate. The malware is believed to have stolen data from infected computers. Victims are advised to install the hotfix as soon as possible.
The hack came to light when Click Studios, the developer of Passwordstate, itself reported the incident. The report revealed that between 20 and 22 April 2021, Passwordstate’s update system had been used to release an update containing a malicious DLL file called moserware.secretsplitter.dll. This DLL file tried to contact a URL to download a second payload from there.
This second payload then collected all kinds of data from the computer and sent it to the hacker’s network. This includes: Computer Name, User Name, Domain Name, Current Process Name, Current Process Id, All running Processes name and ID, All running services name, display name and status, Passwordstate instance’s Proxy Server Address, Username and Password. Also all stored data within Passwordstate was read and forwarded, being Title, UserName, Description, GenericField1, GenericField2, GenericField3, Notes, URL, Password.
This means that the attacker had access to all passwords stored in the Passwordstate system and some more data on the infected computer. As the password manager was mainly used by corporate environments, this mainly concerns passwords for firewalls, VPNs and corporate applications. Click Studios states on its website that it is trusted by 29,000 companies.
Hotfix for victims
In a second message, Click Studios says that the number of victims of the leak is likely to be low, as the malicious update was only available for 28 hours. The company is working hard with its customers to determine who the victims are, what might have been stolen from them and what actions they should take. Click Studios has released a hotfix for the problem. Victims are advised to install that hotfix and change all passwords stored in Passwordstate.
Single point of failure
The attack demonstrates an inherent problem with password managers. Password managers provide an excellent way to maintain a strong and unique password for each login, so a data breach at a single website doesn’t expose all the user’s credentials. However, if an attacker breaks into the password manager itself, the attacker will immediately have access to all the saved passwords. The security of this single point of failure is therefore of extreme importance.