Do us codebook users need to worry about this story?


#1

Top password manager apps are leaving your secrets fully exposed – study
TrustedReviews

Security conscious tech enthusiasts will tell you a password manager is the best way to safeguard your account details in one place, while ensuring you aren’t tempted to commit the cardinal sin of reusing passwords. However, new research published by the Washington Post has claimed five of the most popular password management services have serious security flaws. The study from the ethical hackers Independent Security Evaluators asserts that a number of the top apps are vulnerable to ‘targeted

Read the full story


#2

The article specifically mentions “1Password, Dashlane, KeePass, LastPass and RoboForm”, but not CodeBook. However, it’s a good question.


#3

What does codebooks team tell us about this ?


#4

For context, here is a direct link to the post that is making the rounds:

https://www.securityevaluators.com/casestudies/password-manager-hacking/

The short summary of this report is that the investigators performed analysis on the running state of various password managers and reported on the fact that sensitive information was present in memory at various points during the application lifecycle.

The short and direct answer is that Codebook is, to varying degrees, susceptible to the same types of analysis described in this article. While Codebook will make attempts, whenever possible, to wipe sensitive information from memory, we have only limited control over where in the process memory sensitive information may end up. This could include various UI controls, managed code, managed memory, etc. On some platforms, like macOS and iOS, we have finer grained control than on others, like Windows or Android, but regardless, in order to display secret information to you, it must pass through the program’s memory.

Unfortunately, in an attempt to make these findings sound more impressive, the article fails to mention that the same is true for every software program in existence, without exception.

There is no way to protect against an attacker with access to your computer, the privileges necessary to run arbitrary software, and direct access to the memory of other running processes. Application data can be compromised no matter what under those circumstances.

As a result, users of Codebook (or any other Password Managers) must consider the use of the software in the scope of their overall computing platforms. It is important to ensure that workstations and devices are secured with strong credentials, and kept free of untrusted programs, especially in an administrative context. Layered security will go a long way to protecting your applications and data from this sort of risk.


ISE study of Password Managers - interesting read