Skip to content

Dashlane Hack Exposes Vulnerability in Password Vault Download Process

A recent hacking campaign against Dashlane users has highlighted a vulnerability in the password manager’s process for downloading encrypted password vaults. The attackers, who used a technique called ‘password spraying,’ were able to obtain valid tokens for fewer than 20 personal plan customers, allowing them to register new devices on those accounts and download copies of users’ encrypted vaults.

The attack began when the unknown threat actor abused Dashlane’s programming interfaces for device enrollment. By sending requests to large numbers of existing users’ registered email addresses, the attackers were able to trigger an automatic lockout of targeted accounts. However, in this case, the automated security systems operated as intended, and the attack was eventually shut down.

Dashlane explained that the attackers used a brute force attack to send a large volume of automated requests to device registration API endpoints. This technique, known as password spraying, involves sending multiple login attempts to different accounts with the same password in an attempt to gain access. In this case, the attackers sent requests to register new devices across a large number of accounts, increasing their chances of success.

The attack was particularly effective because it targeted the mechanism that allows Dashlane users to add new devices to their accounts. When a user installs the Dashlane app on a new device and attempts to enroll it in their existing account, Dashlane verifies the account holder’s identity by sending a one-time six-digit token to the user’s registered email address. The attackers were able to brute-force this code for fewer than 20 personal plan customers, allowing them to register new devices on those accounts and download encrypted vaults.

However, it is worth noting that the attackers would still have had to crack the master password in order to obtain the decrypted contents of the vaults. Dashlane uses an algorithm called Argon2, which dramatically slows down and intensifies the process of converting plain-text passwords into cryptographic hashes. This makes it extremely difficult for attackers to decrypt the vaults, even with significant computing resources.

The incident has similarities to the 2022 LastPass breach, in which attackers were able to obtain encrypted user vaults. However, in that case, the attackers were ultimately able to obtain decrypted information from some of the vaults due to weaknesses in the encryption algorithms used at the time. Dashlane has stated that no user fields in vaults are unencrypted and that algorithm updates occur automatically.

In light of this incident, it is recommended that all affected users change their master passwords and the contents of any recovered Dashlane vaults immediately. This will reduce the chance that the attackers succeed in breaking the master password. Unaffected users do not need to take any action.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *