Critical Authentication ​Bypass Discovered

Click Studios, the ⁣Australia-based maker of the ⁢enterprise password manager Passwordstate, is ⁣urging its 29,000 customers to ‍instantly install an update addressing a high-severity authentication bypass ‌vulnerability. The flaw allows attackers to⁤ craft ‌a malicious⁢ URL that grants access to the application’s Emergency Access page,potentially​ leading to full administrative control ⁤of the password ⁣vault.

As of ‌this writing, a Common Vulnerabilities and Exposures (CVE) identifier has not yet been assigned to the ‌vulnerability.

How the Vulnerability Works

According to Click Studios, the vulnerability stems from a flaw in how the Passwordstate‌ Emergency Access page is ‌handled. by ‍using a ⁢specifically designed URL, an attacker can circumvent normal authentication procedures and gain unauthorized access. This access could⁢ then ⁤be leveraged to reach the administrative section of the password manager, compromising all stored credentials.

Passwordstate’s Role and User Base

Passwordstate is designed to ⁤secure privileged ​credentials for organizations and integrates with Active ​Directory, the user account management service⁤ for Windows networks. ‍ It also supports features like password resets, ​event‍ auditing, and remote session logins.​ The password manager serves approximately 370,000 security professionals.

Patch Availability

Click ‌Studios‌ released build 9972 on Thursday ‌to address ‌this ‌and another vulnerability. The company details the ‌issue as a potential authentication bypass associated with accessing the Emergency Access page.