Proton Pass security flaw exposed: Firefox users at risk


A password manager by Swiss-based company Proton is still storing sensitive data, including credit card numbers and security codes, in plain text on Firefox. Patch is on the way.

ADVERTISEMENT

Proton Pass positions itself as an open source password manager where all the data is end-to-end encrypted, essentially making it unreadable to us.

However, it seems that if an attacker had access to a victim’s computer, they could retrieve all the items stored on Proton Pass. This would be possible even after Proton Pass is locked.

The issue, recently highlighted by a German penetration tester Mike Kuketz and first picked up by the Restore Privacy media outfit, has been known for quite a while.

“In the last few days I have looked at the open source password manager ProtonPass from Proton. Among other things, I found that usernames, passwords, etc. can be found as plain text in the memory after unlocking the password memory in the browser extension. Even after the password memory has been locked, all the data remains in memory,” Kuketz writes.

He recently brought to our attention that a penetration testing company called Cure53 audited Proton Pass. The audit report, published in July, highlights the very same problem.

“The password and other items of a given Proton Pass extension are not cleared from memory immediately after the user locks the application. This means that an attacker with physical access to the victim's computer can retrieve the victim’s saved items, even if the extension is locked. Notably, the locking mechanism only takes effect on the server-side, while no previous data is cleared from memory.”

Notably, auditors highlighted the issue with the Proton Pass extension on Google Chrome.

Cybernews researchers independently verified that the problem is now fixed, meaning Proton Pass users should be safe using their Chrome extensions.

ADVERTISEMENT

However, they’ve also checked Proton Pass extensions on Firefox, and concluded that no fix has been applied for this browser as of yet but is to be rolled out soon.

In an example below, you can see that credit card number, its CVV code and expiration date is still visible under “Firefox Process Memory Dump File.” For this experiment, we used a dummy account with fake credentials.

Proton Pass Firefox data

The company fixed the issue after the audit, but the bug was reintroduced.

“Thanks for bringing this to our attention; we've confirmed on our side that this bug (previously found in the Cure53 audit) has been reintroduced recently with some new Proton Pass features,” Proton said in an email to Cybernews.

“This is an end-game scenario type of attack where the attacker would need access to a browser or memory to have access to passwords. This is a highly unlikely scenario, but as Proton is absolutely committed to the security and privacy of our users, we'll be fixing this as soon as possible. We will be pushing an update to Proton Pass in the coming hours that corrects this bug and further obfuscates and hardens any data stored in memory. The Chrome extension is already updated with a patch for this, with other browsers coming soon,” it said.

The company also added that “The Firefox update is still in review with Mozilla and will be live as soon as they complete their review.”

In a recent clarification sent to Cybernews, Proton stated that password managers, by design, store data in memory in an unencrypted format. They explained, "This is because the application requires access to plaintext data for tasks such as auto-filling login fields. Encrypting this data while in memory would render the application non-functional, making encryption in this context impossible. Storing data in memory without encryption is a common feature in all password managers and is not considered a security flaw."

According to Proton's representatives, while some password managers may obfuscate data, this is not equivalent to encryption, as "obfuscation can be easily reverse-engineered and does not provide a meaningful security layer."

Proton emphasized that the issue discovered was related to the PIN lock, rather than a lack of encryption, as it is present in all password managers. They stated, "The issue identified in the audit is that it can take up to 30 minutes for data to be cleared from memory after the PIN lock is activated. As mentioned in Cure53's audit report, the severity of this issue is low because exploiting it would require an attacker to have physical access to the device and access to its memory, indicating that the device is already fully compromised. An attacker with such access would already be able to bypass the PIN protection."

ADVERTISEMENT