Several design flaws plague LastPass' overall security

Nov 18, 2015 14:30 GMT  ·  By

Two security engineers from Salesforce have found multiple design flaws in LastPass' service that could have allowed attackers access to anyone's password vaults.

One year earlier, the two, Alberto Garcia Illera and Martin Vigo, also managed to crack LastPass' master password for installations where the "remember password" option was activated.

Coming back to investigate LastPass' security features once again, the two presented a new series of attacks at this year's Black Hat Europe security conference in Amsterdam.

Client-side attacks on LastPass

For starters, client-side attacks as the one they had discovered one year earlier were also possible if the "remember password" option was not enabled.

This was possible because of a LastPass design flaw in its session cookie. This cookie stored a password decryption key (pwdeckey), which allowed the two researchers to derive another key used to encrypt the password vault key. By going through various decryption steps, access was eventually granted to all user passwords.

In cases where 2FA (two-factor authentication) was enabled, this didn't keep the passwords any safer. Because LastPass used an older method of implementing 2FA, relying on locally stored tokens instead of the modern approach of using trust cookies, 2FA could be easily bypassed.

The problem was that this local token was stored on the user's computer in cleartext. You can imagine the results for yourself.

Other problems with LastPass' 2FA mechanism included the fact the token never changed, and the same token was used for all browsers.

Additionally, the token was stored on all computers, even if the user did not activate 2FA, which allowed attackers to steal it and use it later. Even worse, the token was also injected inside a page's DOM structure, allowing attackers to steal it via XSS attacks.

Server-side attacks on LastPass

For server-side attacks, researchers looked at LastPass' mechanism of injecting usernames and passwords into Web pages.

To achieve this, LastPass uses custom JavaScript, which gets saved directly in the passwords vault in clear text. The researchers demonstrated that attackers can append malicious code to the custom_js LastPass parameter, and by doing so, record and steal data from login pages where LastPass automatically fills in your credentials.

A more technical explanation of all the attacks and even some others we did not mention in our article can be found inside the researchers' Black Hat Europe whitepaper and on Vigo's personal blog (which also includes some recommendations on how to properly set up LastPass).

LastPass fixes issues, researchers come to its defense

LastPass was notified of the issues, and the two researchers said the company was very quick to release fixes.

"We want to point out that the security team at LastPass responded very quickly to all our reports and lot of the issues were fixed in just a couple days. It was very easy to communicate and work with them," noted Vigo.

"We have seen media and tweets mentioning that we 'hacked LastPass.' We did not hack LastPass," continued Vigo. "What we did is find a number of bugs, bad practices and design issues which we used to obtain the vault key and decrypt all passwords in different scenarios. There is no bug-free software and any future research on other password managers would likely have similar results."

LastPass attack scenario, using the custom_js payload
LastPass attack scenario, using the custom_js payload

Photo Gallery (2 Images)

LastPass has several design flaws that reveal user passwords
LastPass attack scenario, using the custom_js payload
Open gallery