https://www.heise.de/en/news/Serious-flaw-in-critical-applications-Plaintext-passwords-in-process-memory-9830799.html heise+ gratis testen heise kennenlernen heise kennenlernen Anmelden [ ] * c't - Magazin fur Computertechnik * iX - Magazin fur professionelle Informationstechnik * c't Fotografie - Das Magazin rund ums digitale Bild * Mac & i - Nachrichten, Tests, Tipps und Meinungen rund um Apple * Make - Kreativ mit Technik * Alle Magazine im Browser lesen IT News * Newsticker * Hintergrunde * Ratgeber * Tests * Meinungen Online-Magazine * heise+ * Telepolis * heise Autos * TechStage * tipps+tricks Services * heise Shop * Stellenmarkt * heise academy * heise Download * heise preisvergleich * Tarifrechner * heise compaliate * Abo bestellen * Mein Abo * Netzwerktools * iMonitor * Loseblattwerke * Spiele Uber Uns * heise medien * heise regioconcept * heise Business Services * Mediadaten * Karriere * Presse Newsletter heise-Bot Push Push-Nachrichten ${title} ${title} ${intro} ${title} ${lead} ${title} ${title} ${intro} ${title} ${lead} ${content} heise+ Das Beste aus heise+ Zur heise+ Startseite ${content} heise online Top-Beitrage von heise online Zur heise online Startseite ${content} heise online Most popular articles by heise online ${content} Abo heise kennenlernen heise kennenlernen [ ] Newsletter heise-Bot Push Push-Nachrichten IT News * Newsticker * Hintergrunde * Ratgeber * Tests * Meinungen Online-Magazine * heise+ * Telepolis * heise Autos * TechStage * tipps+tricks Services * heise Shop * Stellenmarkt * heise academy * heise Download * heise preisvergleich * Tarifrechner * heise compaliate * Abo bestellen * Mein Abo * Netzwerktools * iMonitor * Loseblattwerke * Spiele Uber Uns * heise medien * heise regioconcept * heise Business Services * Mediadaten * Karriere * Presse Advertisement Serious flaw in critical applications: Plaintext passwords in process memory Due to a loophole in VPN clients and password managers, confidential data remains in the process memory even after logging off and can be read out. Save to Pocket listen Print view [shutterstock_1794130912-41614529ab31700a] (Image: Song_about_summer/Shutterstock.com) Aug 12, 2024 at 6:20 am CEST 2 min. read iX Magazin By * Ute Roos Advertisement This article was originally published in German and has been automatically translated. Anzeige In a recent investigation, security experts from secuvera GmbH have identified a serious vulnerability in various security-relevant applications such as OpenVPN, Bitwarden and 1Password. It leads to confidential information such as passwords or login information remaining in plain text in the process memory even after users have logged out, making it easily accessible to potential attackers. This vulnerability is classified as CWE-316: Cleartext Storage of Sensitive Information in Memory. [svg] [luecke_secuvera-75462a3b9df78a87] Security risk: plain text password in the process memory. (Image: secuvera) Malware on a computer is usually able to read the memory of other processes and use the data. Data such as passwords and other confidential information that is stored unencrypted in a program's memory after the login process is therefore problematic. For the study, the experts tested various applications under realistic conditions, including VPN clients and password managers that were explicitly developed to protect such user information. At least make the attack more difficult There is no simple solution to this inherent problem. However, some workarounds can at least make it more difficult for attackers to access the data. As the data is decrypted and loaded into the main memory in plain text at the time the program is used, even if strict guidelines for data encryption are observed, the aim should be to minimize the time window for a potential attack. Application developers should ensure that the data is deleted from memory or at least securely overwritten as soon as it is no longer needed or the user closes or logs out of the application. The programs tested included OpenVPN, CyberGhost VPN, Mullvad, 1Password and BitWarden. In many of the programs tested, the confidential data was still found in the process memory even after the user had logged out - even master passwords from password managers. The reactions of the manufacturers, who were informed immediately, were varied: while some manufacturers, such as CyberGhost VPN, acknowledged the vulnerabilities and have already released security updates, other manufacturers have so far remained inactive or refused to fix the vulnerabilities. One provider even forbade the publication of its name and the results. Further details on the investigation can be found in a blog article on the secuvera website Anzeige Mehr von iX Magazin Mehr von iX Magazin Mehr von iX Magazin Mehr von iX Magazin (ur) Home Advertisement * Was ist Adressable TV und wie funktioniert es? * Website erstellen lassen: Lohnt sich die Investition? * Bei UEM sollte es nicht ,,Entweder-Oder" sein * Starte Dein eigenes Minecraft-Projekt * Themenspecial: Moderne IT-Infrastruktur * Special: Zusammen das Datacenter weiterentwickeln * Die Deadline fur NIS2 ruckt naher * Mit der Public Cloud zu mehr Nachhaltigkeit * Sind APIs das neue Einfallstor fur Angreifer? Share this article Shortlink: https://heise.de/-9830799 Spiele Alle Spiele im Uberblick * [svg]TGIQF * [svg]Solitar * [svg]Sudoku * [svg]Mahjong * [svg]eXchange * [svg]Bubbles * [svg]SNAKE * [svg]SudoKen * [svg]Schach * [svg]Fibonacci * [svg]Power Of 2 * [svg]Street * [svg]Cuboro Riddles * [svg]Gumblast * [svg]Doppel * [svg]Rushtower * [svg]Wortblitz * [svg]Wimmelbild * [svg]Skiracer * [svg]Sudoku leicht * [svg]Sudoku schwer * [svg]Sudoku sehr schwer Advertisement Advertisement Back to top Alle Angebote IT News * Newsticker * Hintergrunde * Ratgeber * Tests * Meinungen Online-Magazine * heise+ * Telepolis * heise Autos * TechStage * tipps+tricks Services * heise Shop * Stellenmarkt * heise academy * heise Download * heise preisvergleich * Tarifrechner * heise compaliate * Abo bestellen * Mein Abo * Netzwerktools * iMonitor * Loseblattwerke * Spiele Uber Uns * heise medien * heise regioconcept * heise Business Services * Mediadaten * Karriere * Presse Newsletter heise-Bot Push Push-Nachrichten * Datenschutz * Cookies & Tracking * Impressum * Kontakt * Barriere melden * Mediadaten * Vertrage kundigen * 4649343 * Content Management by InterRed * Hosted by Plus.line * Copyright (c) 2024 Heise Medien kopieren *