Martin Vigo and Alberto Garcia Illera, both security engineers at Salesforce.com, recently presented their analysis of LastPass at Black Hat Europe 2015.
In a blog post describing their findings, Vigo and Garcia say that after conducting some preliminary research, the duo decided to see if they could attack LastPass’s password vault directly and obtain access to LastPass credentials via three different techniques: client-side attacks, LastPass-side attacks, and attacks from the outside.
Regarding the first method of attack, the researchers found a way to exploit session cookies, allowing them to gain access to the encrypted vault key.
“We can use the session cookie to query LastPass and obtain the pwdeckey value,” the duo explained. “Once we have that, we can derive a key by doing SHA256(pwdeckey). Now we just need to extract the encrypted vault key from the SQLite DB and decrypt it using the key we just derived.”
After unearthing some weaknesses in the way LastPass configured its two-factor authentication protocols, Vigo and Garcia eventually found a way to recover a disabled One Time Password (known as a dOTP, and which the researchers describe as a “master password on steroids”) that is stored locally on a user’s machine.
“This is key to understand the advantage of this attack versus stealing the master password which needs the victim to have previously clicked ‘Remember Password’,” the researchers note.
The duo finally used the dOTP to obtain the session cookie and the encrypted vault key, which they decrypted using the dOTP.
Moving on to LastPass-side attacks, Vigo and Garcia found that the vault itself was not encrypted per se but instead presented cleartext metadata with encrypted values. (The URLs/icons were only encoded, whereas credentials were encrypted using a weak method.)
They also found that LastPass added a “custom_js” parameter to every Account node:
For outside attacks, the researchers do not go into too much detail in the blog post, and instead direct readers to view the slides of their talk.
At first glance, these bugs with LastPass might seem to endorse the actions of those who – against the advice of some – immediately decided to migrate away from LastPass after the company was bought by LogMeIn.
But, as Vigo and Garcia note, LastPass may not be the only password manager with vulnerabilities, and its development team have at least responded to the findings in what seems to be a responsible and timely manner:
We found a number of bugs, bad practices and design issues and used them to obtain the vault key and decrypt all passwords in different scenarios.
There is no bug-free software and any future research on other password managers would likely have similar results.
LastPass has responded and fixed most of the issues in less than 72 hours.
“We want to point out that the security team at LastPass responded very quickly to all our reports and lot of the issues were fixed in just a couple days,” the pair explain. “It was very easy to communicate and work with them.”
Password managers can have their weaknesses, but as pointed out by Bob Covello on Tripwire’s The State of Security blog, even faulty password managers are a good choice versus users storing their passwords in local files.
LastPass has taken responsibility for its bugs; it stands to reason that many of these issues will therefore not resurface going forward.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.