Dieser Thread braucht eine Lösung.
Danksagungen0

Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 04:43 · 14 Antworten · · Übersetzung:

Hi, please can I get advice from the Norton team. Unless I'm mistaken, it would appear that Norton are storing vault keys server side.

Steps to reproduce:
Uninstall the Norton Password Manager app from IOS.
Reinstall the Norton Password Manager on the same IOS device.
Log in with your Norton online account credentials.

Outcome:
Vault is automatically unlocked. Nowhere was I asked to enter my Vault password.

Concern:
How can a fresh IOS app install bypass the vault password? This leads me to suspect vault passwords are being stored server side at Norton.

Antworten

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 06:15 · Permanenter Link

Vault password is not stored by Norton.

Is it possible that before you uninstalled Password Manager you had opened the vault and not closed it? I think that uninstalling the app does not close the vault so it would have remained open on your device.

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 06:21 · Bearbeitet: 2022-08-19 | 07:07 · Permanenter Link

Hi, I can confirm the entire app and it's contents were wiped from the device. I have also repeated the process, and can be replicated on other devices. So long as it's the same device (with the same hardware ID) when removing and reinstalling the app the vault automatically unlocks without the user entering the vault password. I haven't attempted reinstalling the OS and using a different apple account to see if it persists. This could be a test.

If you believe there is some way storing residual data behind on an iPhone (keys / credentials / faceid storing keys etc.) even after the app has been uninstalled, please link me to the apple dev documentation that shows how this is possible. Otherwise Norton must be storing either a vault password / certificate server side. 

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 06:42 · Permanenter Link

If you do a restart after reinstalling  the app does it ask for the vault password when opening?

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 06:49 · Permanenter Link

Hi, just tested now. Uninstalled app, restarted, reinstalled app, restarted, signed in with credentials and vault automatically unlocked again.

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 06:57 · Permanenter Link

I do not have an IOS device but I do have Android and am unable to recreate the scenario that you have described. Maybe somebody else here with IOS can try to recreate on their phone.

This would be a serious breach of trust in Norton so I hope this thread would be relegated higher and addressed.

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 07:03 · Bearbeitet: 2022-08-19 | 07:04 · Permanenter Link

I'm hoping it's just some API functionality in the IOS OS that allows the key to be stored somewhere with eg. FaceID, which for some reason is able to persist even after uninstalling the app. Need Norton team to confirm / link to apple dev documentation explaining how this works.

It's good to hear this isn't happening on android.

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 07:13 · Permanenter Link

¡Hola! Muchas gracias por su contacto y por participar en nuestro Foro. Me gustaría informarle que vamos a revisar esta situación. ¡Gracias!
 

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 08:06 · Permanenter Link

Are you unlocking via facial recognition? Face recognition is stored by OS and used by NPWM.

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 08:31 · Bearbeitet: 2022-08-19 | 08:40 · Permanenter Link

I don't believe FaceID stores keys in the OS. FaceID would generate a unique identifier for the face that is presented, which can then be referenced code side, not OS side. Even if FaceID was capable of storing keys OS side, they shouldn't persist after the app has been uninstalled, this presents a security concern. I can't see any reference to this in the apple dev docs.

If however it is possible for FaceID to store keys, and do it persistently after uninstalling the app, I would need confirmation of this from the Norton dev team / reference to the apple dev docs.

Danksagungen1 Stats

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 08:47 · Bearbeitet: 2022-08-19 | 08:55 · Permanenter Link

I believe I have identified the issue. Assuming the IOS version of the Norton app is using the keychain Services API in the apple OS, it would appear that keys are persistent after application uninstalls:
https://developer.apple.com/forums/thread/36442
https://developer.apple.com/forums/thread/22874

Norton devs - Potential fix described here:
https://stackoverflow.com/questions/4747404/delete-keychain-items-when-an-app-is-uninstalled

Hopefully the Norton devs can just confirm this to me, and if so, consider implementing the fix described above.

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 12:38 · Permanenter Link

It sounds like you found your own solution. Does that get a Kudos? Sounds like it should. (I'm new.) 

So, you're saying the password for Norton Password Manager stays saved in the iOS Password Manager even if you remove the app?

Perhaps when deleting Any app, the password would stay saved in iOS Password Manager, in case you have other iOS devices that still use that same app and the same Apple ID, no matter if it's Norton or another app?

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-19 | 12:51 · Bearbeitet: 2022-08-19 | 12:52 · Permanenter Link

Liliana_P:   Permalink

¡Hola! Muchas gracias por su contacto y por participar en nuestro Foro. Me gustaría informarle que vamos a revisar esta situación. ¡Gracias!
 

Liliana_P:
Hello! Thank you very much for your contact and for participating in our Forum. I would like to inform you that we are going to review this situation. Thank you! 

Danksagungen0

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-28 | 18:01 · Permanenter Link

If the issue is the Apple Keychain service being used, it should not be a security problem as that service is secure according to this Apple Support Article.

Danksagungen1 Stats

Re: Norton Password Manager - Vault Key Stored Server Side

Gepostet: 2022-08-30 | 02:23 · Permanenter Link

@levelflyer12 What you mentioned in your comment (https://community.norton.com/en/comment/8533145#comment-8533145) is correct. We are indeed making use of the Apple Keychain Services. Please be assured that the Vault Keys never leave the device/client and all encryption/decryption happens locally.

Thanks for your suggestions, we'll explore it.

This thread is closed from further comment. Please visit the forum to start a new thread.