Passwords saved in browsers and fished out by malware could be to blame for hundreds of millions of password leaks
Insecurities in the way major web browsers store passwords and other information, combined with malware on people's PCs, could be behind a string of credentials leaks, security specialists have warned.
Furthermore, the malware may also be able to access personal information used by browsers to pre-populate web forms. Twitter has suspended millions of accounts in response.
This is the view of specialists at security software company Rapid7 following an analysis of recent password leaks.
"While the credentials themselves appear to be real, the details provided by LeakedSource indicate that the usernames and passwords are sourced from end users rather than from Twitter itself," said Tod Beardsley, security research manager at Rapid7.
"Specifically, it appears that the credentials were harvested from individual browsers' password stores.
"It's just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls."
An early analysis points to a specialised form of malware exploiting this browser security weakness.
"It's not clear from the analysis posted so far what the vector was, but it's certainly some flavour of malware - a malicious application targeting browser-based password storage," Beardsley told V3.
"Browser password storage tends to be in a very findable and predictable path, so either the malware accessed the store directly, or it simply scraped passwords from the log-in screens by navigating to Twitter's log-in page.
"Browser password storage favours ease of use over anything, and doesn't prompt the user for an unlock password after the first use, if at all. Firefox does prompt a user per session, while Chrome's password autofill is completely automated once signed into Google.
"Malware installed on a computer has at least the same rights as the affected user, so no password manager is truly bulletproof against a purpose-built password stealer.
"But an external password manager will typically require authentication for every use, and two-factor authentication does go a long way toward mitigation in the event of a password compromise."