Dashlane – An autologin experience

Dashlane is a 3rd party application that aim to manage your login credentials to websites, facilitate your online purchases and much more. Have a look on their website, they will better explain what this application combined to a cloud service is about than me.

Anyway. I’m not here to say Dashlane is a great product (yada yada) or not (moaning yada yada) but to share with you an experience I had with Dashlane and the guys behind Dashlane.

I’ve been testing Dashlane from a while now. So far my usage was limited to express login and registration on various websites. I also tested the smart-form filling which proved to be a precious time saver. Being somewhat conservative with several aspects of the Internet, I haven’t tested the Secure Digital Memore and Express Check Out modules.

Last week I came across an interesting experience using Dashlane.

The feature “always log me into the website” feature was active on Dashlane for my Twitter account. At some point I clicked on a shortened link that appeared in my Timeline. The link was triggering “Pr0file Analyser v3.3”. This has been recognized as malware/scam and many tweeple get caught by it. To some extend the autologin feature of Dashlane accelerated the fact that I’ve been also caught by the malicious link. Indeed it processed the login on Twitter that was required to authorize a 3rd party apps to access my Twitter account. I apologize to @jief who also clicked on it trusting what I tweeted. Actually the malicious app sent that tweet. I then deleted the tweet and also revoked access to the malicious app.

I decided to report that event via the interface of Dashlane “Feedback – Report a bug”. Feeling it was serious enough to get direct attention, I also engaged with @dashlane to DM them about my experience and the “0-day exploit” that I discovered.

We then have exchanged a couple of email relating to what happened. While both Dashlane’s guys and I agreed it wasn’t a Dashlane bug it still deserved a specific attention and a remediation by Dashlane as it could affect the Dashlane’s user experience. Since last week I’ve been kept in touch with their progress by Emmanuel Schalit, the CEO.

If you are a user of Dashlane running version 1.0.0 or an earlier version, I would recommend that you desactivate the “always log me into the website” for the websites that offer Authentification API for 3rd parties until an update that is released.

 

I’m glad to see that Dashlane is addressing the issue. An update (v1.1) will be available soon. It will includes the code and mechanism to prevent automatic login in the context of authorization popup when triggered by 3rd party apps.

(I will update this blogpost when the fix is released)

 

  • Facebook
  • Twitter
  • Google Plus
  • LinkedIn

0 Responses to “Dashlane – An autologin experience”


Comments are currently closed.