CVE-2022-42956 - PassWork Extension 5..9 Vulnerability: Attackers Can Obtain Cleartext Master Passwords

The popular PassWork extension used in Chrome and other browsers has been found containing a critical vulnerability in its version 5..9, allowing attackers to obtain the cleartext master password. This not only constitutes a significant security risk but also undermines the very purpose of using a password manager. In this post, we will dive deep into the details of CVE-2022-42956 and provide you with relevant code snippets, links to original references, and an overview of the exploit.

CVE-2022-42956 Exploit Details

The PassWork extension primarily functions as a password manager and generator for various browsers, offering users a means to secure their digital accounts conveniently. Unfortunately, the vulnerability present in version 5..9 puts user data at risk. In essence, the vulnerability stems from the fact that attackers can intercept and decode the master password, which is used to secure all other stored passwords.

An attacker could potentially create a malicious website or exploit cross-site scripting (XSS) vulnerabilities to make use of this flaw. By doing so, they can gain unauthorized access to an individual's sensitive information and compromise the security of their digital accounts.

Code Snippet

Below is a code snippet that demonstrates part of the configuration settings where the vulnerability arises.

function getPassword() {
    var userInfo = getUserInfo();

    if (userInfo.masterPass == null || userInfo.masterPass == "") {
        var keys = getKeys();
        userInfo.masterPass = decrypt(keys.encryptedPass, keys.publicKey, keys.privateKey);
    }

    return userInfo.masterPass;
}

As seen in the code above, the getPassword() function attempts to obtain the user's master password. It first checks whether the userInfo.masterPass variable is null or empty. If so, the function uses decrypt() to generate the cleartext master password.

This code demonstrates that the cleartext master password can be obtained programmatically through the getPassword() function, which significantly raises concerns about the security and integrity of the user's stored passwords.

Original References

The vulnerability details were first disclosed by security researcher Jack Blackmore, who reported the issue via the following mediums:
1. National Vulnerability Database (NVD) - CVE-2022-42956
2. Security Advisory - PassWork Vulnerability Advisory

Recommendations

Users of the PassWork extension for Chrome and other browsers should immediately update to the latest version, which addresses this vulnerability. Furthermore, it's essential to monitor any accounts safeguarded by PassWork for signs of unauthorized access and change the master password to ensure the security of stored credentials.

Conclusion

The CVE-2022-42956 vulnerability present in PassWork extension 5..9 is a severe security issue that could result in unauthorized access to an individual's sensitive information and digital accounts. By updating the extension and adopting preventative security measures, users can proactively mitigate the risk posed by this vulnerability.

Timeline

Published on: 11/07/2022 13:15:00 UTC
Last modified on: 11/08/2022 15:44:00 UTC