Vault Raider: Stealthy UI-based Attacks Against Password Managers in Desktop Environments
Andrea Infantino
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Usable Security
Vault Raider demonstrates that **desktop password managers** are vulnerable to stealthy phishing attacks through their **native autofill mechanisms**. While browser-based autofill uses URL-based origin verification, desktop autofill relies on **operating system-level identity verification** that is fundamentally weaker and inconsistently implemented. A malicious native application running with standard (unprivileged) user privileges can exploit these weaknesses to harvest credentials, 2FA codes, payment information, and even the **vault master password** and **sudo password** from password managers.
AI review
A clean, practical attack against desktop password managers that harvests credentials, sudo passwords, and even vault master passwords through synthetic UI interactions -- all invisible to the user. The 1Password quick access bypass is elegant: no identity verification on a secondary interface that has full vault access. The finding that Windows password managers perform zero identity checks is damning. This is the kind of attack red teams should add to their toolkit.