• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos2 Stats

Serious Security Flaw in ID Safe

I just saw that Norton Identity Safe has a serious security flaw. Here is the scenario:

When I boot up my computer in the morning, I open my vault via my vault password. So far so good.

However, I have all financial sites additionally secured (bank sites, credit card sites etc.) to where the logins do not autofill but where ID Safe requests that the vault password is re-entered in order to fill the respective fields.

Now I just realized that this extra security step is completely useless: As long as the vault is generally open, there is no need to re-enter the vault password to obtain the login information.

Yes - it is requested alright, but entering the vault passpword at this point can be simply and easily circumvented by just clicking on the "Vault Is Open" icon in the Norton toolbar. Then one just has to enter the website's name in the "Search Your Logins" field and voila - the login information comes up - completely unsecured. All someone would have to do is to click on the "View Login" symbol, then either copy the information or just diplay the password by clicking on the eye symbol. As long as the vault is open, this supposed extra security is worth nothing. 

I am actually shocked - and frustrated with myself that it took me so long to notice that. I am sure - given that this is Norton and not some small business! - they could program ID Safe to where it does not allow acess to an open vault in cases where the re-entering of the vault password is requested for certain "vault-password secured" sites.

Replies

Kudos0

Re: Serious Security Flaw in ID Safe

I just saw that Norton Identity Safe has a serious security flaw. Here is the scenario:

When I boot up my computer in the morning, I open my vault via my vault password. So far so good.

However, I have all financial sites additionally secured (bank sites, credit card sites etc.) to where the logins do not autofill but where ID Safe requests that the vault password is re-entered in order to fill the respective fields.

Now I just realized that this extra security step is completely useless: As long as the vault is generally open, there is no need to re-enter the vault password to obtain the login information.

Yes - it is requested alright, but entering the vault passpword at this point can be simply and easily circumvented by just clicking on the "Vault Is Open" icon in the Norton toolbar. Then one just has to enter the website's name in the "Search Your Logins" field and voila - the login information comes up - completely unsecured. All someone would have to do is to click on the "View Login" symbol, then either copy the information or just diplay the password by clicking on the eye symbol. As long as the vault is open, this supposed extra security is worth nothing. 

I am actually shocked - and frustrated with myself that it took me so long to notice that. I am sure - given that this is Norton and not some small business! - they could program ID Safe to where it does not allow acess to an open vault in cases where the re-entering of the vault password is requested for certain "vault-password secured" sites.

Kudos0

Re: Serious Security Flaw in ID Safe

I don't have an answer for you but there is two work-arounds you could use.

  1. Simply log out of the vault when you don't need it.
  2. Similarly, you can set the vault to automatically close after a certain time.  The default is 15 minutes.
A little bit of knowledge is... well a little bit of knowledge.
Kudos0

Re: Serious Security Flaw in ID Safe

Hi Krusty,

Yes, I could just close the vault every time or let the default timeout do that for me. But then the question must be asked why Norton even has this "added security measure" of being able to enter the vault password twice. It would make no sense. That's why I believe that they overlooked that the vault can be accessed regardless, as long as the vault per se is open.

I hope someone from Norton can address this.

Kudos0

Re: Serious Security Flaw in ID Safe

I hope that you are wrong, Melu - I too have been relying on the "double lock" - but I don't think that you are.

And I hope that you will keep nagging away until you get a response!

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security
Kudos0

Re: Serious Security Flaw in ID Safe

I just tried this again. Now I CANNOT access the login information via the Vault is Open icon in the toolbar anymore. Very strange. 

This is odd because I tried this numerous times yesterday, with different "double-locked" sites, and in every instance I was able to get there via the icon in the toolbar. Not that I'm complaining but  strange nonetheless. Can't imagine that they would have fixed this so quickly but... I take it. Hopefully it stays like that. 

Kudos0

Re: Serious Security Flaw in ID Safe


Melu wrote:

I just tried this again. Now I CANNOT access the login information via the Vault is Open icon in the toolbar anymore. Very strange. 

This is odd because I tried this numerous times yesterday, with different "double-locked" sites, and in every instance I was able to get there via the icon in the toolbar. Not that I'm complaining but  strange nonetheless. Can't imagine that they would have fixed this so quickly but... I take it. Hopefully it stays like that. 


Have you restarted your browser and/or your computer? Many have reported an issue with loss of access to the vault from the Toolbar after an unknown amount of time being open.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Serious Security Flaw in ID Safe

Thanks Peter. I think it worked properly again after restarting my system, yes.

But "properly" in this case (i. e. sites that are double-locked) would actually be loss of access through the toolbar. So all is good now. I will monitor this and see if it quits working correctly again...  Would post if that were the case.

This thread is closed from further comment. Please visit the forum to start a new thread.