A new phishing technique named VaultJacking has been disclosed by security researchers, demonstrating a critical vulnerability in how Google Password Manager protects stored credentials. The attack allows cybercriminals to gain access to a user's entire password vault by capturing just a single PIN code through phishing methods.

Google Password Manager relies on a PIN-based authentication system to protect synchronized credentials across devices. The VaultJacking technique exploits this design by tricking users into revealing their PIN through social engineering or phishing pages that mimic legitimate Google authentication prompts. Once attackers obtain this PIN, they can authenticate to the victim's password vault and extract all stored credentials.

The attack is particularly concerning because it affects passkeys, which have been promoted by the technology industry as a phishing-resistant alternative to traditional passwords. While passkeys themselves remain secure against direct phishing, VaultJacking demonstrates that attackers can bypass this protection by targeting the synchronization infrastructure that stores and manages these credentials. By compromising the vault itself rather than individual passkeys, attackers circumvent the security benefits that passkeys are designed to provide.

The disclosure has raised significant concerns within the cybersecurity community about the security model of cloud-synchronized password managers. Users who store credentials in Google Password Manager face potential exposure of their entire digital identity if their PIN is compromised through phishing. The centralized nature of password vault storage creates a single point of failure that attackers can exploit with relatively simple social engineering techniques.

Security professionals recommend that Google Password Manager users take immediate steps to protect their accounts. This includes enabling multi-factor authentication on Google accounts, being extremely cautious about any requests to enter a password manager PIN, and carefully verifying the authenticity of authentication prompts before entering credentials. Organizations should educate employees about this attack vector and consider implementing additional security controls around password manager usage in corporate environments.

Source: https://gbhackers.com/google-password-vaults-via-single-pin/