A series of flaws, bad security practices and design issues exposed the passwords of LastPass users to various types of attacks, researchers have demonstrated.
LastPass is a popular single-sign-on (SSO) and password management service that is reportedly used by more than 10,000 organizations. LastPass says it has no access to user data and boasts features such as local and secure encryption, secure encryption keys, and secure storage.
LastPass’ features and design should in theory make it difficult for an unauthorized party to gain access to passwords, whether they are trying to obtain the information from the user or from the company’s systems.
However, in a presentation last week at the Black Hat Europe security conference, Salesforce researchers Alberto Garcia Illera and Martin Vigo disclosed a series of bugs and design flaws that could have been exploited to attack LastPass via various vectors. Fortunately, LastPass addressed most of the issues shortly after they were reported by the experts.
Last year, Illera and Vigo demonstrated a method that could be used to obtain the master LastPass password on systems where the “remember password” option was enabled. The experts continued to analyze the password manager in an effort to find methods that can be used to hack LastPass from the client side, the server side, and from the outside.
In the client-side attack scenario, in which the attacker has access to the victim’s machine (not necessarily root access), the researchers attempted to find a way to obtain the key needed to decrypt the password vault without the “remember password” option being enabled.
They achieved this by targeting the LastPass session cookie. This cookie doesn’t include the actual vault key, which is stored locally in an encrypted form, but it does include a value (pwdeckey) that can be used to derive the key used to encrypt the vault key.
For cases where the user has two-factor authentication (2FA) enabled, Illera and Vigo found a way to bypass the security feature due to the way it’s implemented. Instead of relying on trust cookies, like in most 2FA implementations, LastPass uses a locally-stored token that is generated when the browser plugin is installed. The problem is that the token is stored in plain text, it’s shared with other users, and it never changes.
The researchers also found a method that could be used to gain access to the vault without a valid session cookie, the “remember password” option disabled, and 2FA enabled. They did this by abusing the account recovery feature, which gives users access to their vault without having to provide the master password or go through the 2FA process.
The attack method relies on a special “disabled one-time password” (dOTP) that is generated on the machine by default and is used for account recovery. The dOTP, described by Vigo as a master password on steroids, can be used for authentication, to obtain the encrypted vault key and decrypt it, and bypass IP restrictions and 2FA.
Since LastPass claims it does not have access to user data, passwords should not be accessible to an attacker who gains unauthorized access to the company’s systems, rogue LastPass employees, or a government agency (e.g. NSA) that requests information. However, Vigo and Illera demonstrated that server-side attacks are also possible.
The biggest issue is a parameter used to inject credentials on the login pages of websites that don’t use a regular form or submit button. The parameter in question, custom_js, is used to inject and execute JavaScript code, a feature that can be leveraged in combination with a specially crafted payload to steal user credentials.
As for attacks from the outside, the researchers demonstrated an attack against Firefox, which stores LastPass credentials, cleartext usernames and encrypted passwords, along with configuration data in a file called “prefs.js.” In some cases, the encrypted passwords can be decrypted using the methods described by researchers in the client-side attack scenario.
Vigo has pointed out that since “prefs.js” also stores Firefox configuration data, many users have posted these files online on various forums while trying to address Firefox-related issues.
The recent data breach suffered by LastPass combined with the fact that it’s now owned by LogMeIn, a company with a tarnished reputation, resulted in many customers announcing their intention to move to a different service.
The recent findings disclosed by the Salesforce researchers will certainly not help the company, but Vigo pointed out in a blog post that LastPass’ security team responded quickly to their reports and resolved most of the issues within 72 hours.
“There is no bug-free software and any future research on other password managers would likely have similar results,” Vigo said.