Article Details

Enterprise password management outfit Passwordstate patches Emergency Access bug. Up to 29,000 organizations and potentially 370,000 security and IT pros affected. Australian development house Click Studios has warned users of its Passwordstate enterprise password management platform to update immediately if not sooner, following the discovery of an authentication bypass vulnerability that opens the doors to an emergency administration account with nothing more than a "carefully crafted URL." "We have released [Passwordstate] build 9972," Click Studio's support team posted to the company's announcements board, "which includes two security updates. We recommend customers upgrade as soon as possible." Those two security updates are detailed in the company's changelog as modifications to prevent clickjacking attacks against the software's browser extension and a "potential authentication bypass" which, at the time of writing, was pending the assignment of a CVE ID. In a separate security advisories page, Click Studios goes into slightly more detail. Creating "a carefully crafted URL" allows attackers to access the Passwordstate Emergency Access portal, which is designed to provide ingress into the software when other accounts have been locked out or are otherwise inaccessible. "This account doesn't allocate a license from your available license pool," the company's documentation explains, "and is not intended for use in day to day operations. It should be regarded as an account of last resort." Will passkeys ever replace passwords? Can they? For attackers, though, it seems to be very much an account of first resort. With nothing more than the "carefully crafted URL" and a web browser, attackers can bypass the authentication requirement of the Emergency Access portal – giving full administrator-level access to the Passwordstate installation, albeit at the cost of triggering email alerts to all registered security administrators on the system. The flaw impacts a not-inconsiderable number of users worldwide. According to the latest figures released by Click Studios, Passwordstate is used in over 29,000 organizations and by 370,000 "security and IT professionals" in fields including government, banking and finance, insurance, healthcare, legal, utilities, mining, and, perhaps most worryingly, defense. These include Tasmania's Department of Health, which has been using the product since 2016 - though many of the company's customers choose to keep their use of the Passwordstate software a private matter. This latest vulnerability is the fourth authentication bypass flaw to hit Passwordstate 9 since its release, following the discovery of CVE-2022-3876 and CVE-2022-3875 in 2022 and CVE-2024-39337 in 2024. Its severity has, naturally enough given the ease of exploitation, been rated as "high," though for partial mitigation Passwordstate advises - though does not require - that administrators restrict access to the Emergency Access portal by IP address specifically to avoid its misuse in the event of exactly this kind of issue. Passwordstate 9 users looking to protect themselves from the vulnerability are advised to install Build 9972 or later to receive the patch, along with the related clickjacking fix.