The Proton Pass password manager follows the bad practice of keeping unencrypted usernames and passwords in the computer’s memory.
To make matters worse, this sensitive data is not wiped from the memory when the vault is locked post-login, making it susceptible to exfiltration by info-stealer malware or attackers with physical access to the target machine.
The security issue was first identified by German penetration tester Mike Kuketz. He highlighted the concern on Reddit, prompting a response from a Proton AG employee, the developers behind the software, who assured a fix in the upcoming update.
Despite multiple updates to Proton Pass since then, the security vulnerability persisted. Kuketz later received feedback from another company representative, explaining that this was standard behavior across many open-source password managers, including the competing product from Bitwarden.
The researcher gives the following steps to reproduce the issues on the latest version (1.6.1) of the Proton Pass add-on for Chrome and Firefox browsers:
- Install the add-on in the browser and log in.
- Open Windows Task Manager and expand browser processes.
- Right-click each process, creating an image file.
- Open the image with a hex editor.
- Use Ctrl + F to find usernames or passwords.
Caught, fixed, and crept back in
Kuketz notes that Cure53 caught that security problem in a recent audit on Proton Pass, marking it as “reported and fixed” by the time the audit report was published in July 2023.
This confused the analyst, who assumed that Cure53 was given a newer version to test that wasn’t made publicly available. However, this hypothesis made less sense after months had passed with no fix in sight.
The answer came from Proton AG themselves, who responded to Restore Privacy’s request for a comment on the situation, explaining that the issue was fixed in the summer and then reintroduced in a subsequent release. The spokesperson for the firm also told us that a fixed update should be on its way to reach users of Proton Pass before the end of the day.
“We’ve confirmed on our side that this bug (previously found in the Cure53 audit) has been reintroduced recently with some new Proton Pass features. This is an end-game scenario type of attack where the attacker would need access to browser or memory to have access to passwords.
This is a highly unlikely scenario, but as Proton is absolutely committed to the security and privacy of our users, we’ll be fixing this as soon as possible. We will be pushing an update to Proton Pass in the coming hours that corrects this bug and further obfuscates and hardens any data stored in memory.”
Proton AG
While the attack requires specific conditions and doesn’t pose an immediate threat to users following good security practices, the potential for malware to exploit this flaw and steal entire password vaults isn’t as improbable as the vendor suggests. Therefore, Proton Pass users should remain vigilant and regularly check for updates to the password manager.
Update: September 21, 2023
In light of further discussions with Proton AG, we wish to provide an update regarding Proton Pass’s memory management. It’s common for password managers to hold data unencrypted in memory for facilitating tasks such as auto-filling logins—this is a standard practice not considered a security flaw.
The recent highlight from the cure53 audit, which aligns with findings by Kuketz, focused on a (30 minute) delay in clearing data from memory post-PIN lock activation. It is during that period that an attacker with physical access on the machine or malware running on it, could steal the user’s credentials.
Proton AG has confirmed to RestorePrivacy that this issue has now been addressed across all platforms via updates released yesterday. Users are urged to update their Proton Pass clients to benefit from the fixes.
I agree on biometric security meassures. Until then I guess one should keep their passwords only on paper.
In somewhat similar developments, Chrome continues to retain your password data, and there’s a readily accessible online tool for uncovering it. Numerous organizations, including TransUnion and healthcare institutions, face widespread security breaches.
Perhaps it’s time to refrain from singling out specific companies or products and simply state the reality. These kinds of security breaches are pervasive, and overtly biased or sensationalist blogging may contribute to a lack of credibility and objectivity in reporting and encouraging cheerleading by a select few.
The most effective defense strategy consistently involves implementing biometric security measures.
Proton Pass is fresh product likely released under pressure for features/sales. I think it’s good to call out on single companies. It’s not sensational blogging at all. There are many people that are just trusting name brand and thinking their products are more secure than others. A little reality check is always good to blog about. I’m a proton customer and reading good or bad is always good to maintain perspective. You won’t hear about this on Protons blog.
Thank you Sir for the informative article. Personally I use and recommend Dashlane. It is very Good.
Did I understand correctly that this issue is also present in Bitwarden? Maybe something to mention in your review…
Yes, the memory whipe isnt activated from start, but one can choose how long the password is in memory in the settings. I dont know if Proton has the same feature.
The Mike Kuketz link above mentions more about Bitwarden at the end of the reader’s letter:
“I also find it strange that after logging in ProtonPass for the first time (regardless of whether iOS, Android or browser extension), you only need a PIN code to unlock the password store.
With Bitwarden, the individual entries in the password store are decrypted with a “symmetric key”. When the password memory is locked, the memory is cleaned.”
Translated by DeepL