Now Reading
Researcher: Even LastPass Will Be Hacked

Researcher: Even LastPass Will Be Hacked

by P. H. MadoreNovember 19, 2015

It seems we live in an era where all the things will, indeed, be compromised. Creativity in hacking is at an all-time high, and for perhaps the first time, a generation exists which does not immediately associate hacking with ill-conceived films from the end of the 20th century. As further proof of this observation, Hacked offers the findings of Martin Vigo and friends, who’ve apparently found several ways to get to a target’s LastPass.

Metasploiting And Decrypting Hashed Passwords

Vigo has previously written on the topic of LastPass, recounting in another entry how he’d managed to gain the seed to decrypt hashed passwords transmitted via LastPass. He notes that the password reset feature of LastPass was particularly useful in research; incredibly, that the password itself is allowed to appear in the password reminder.

2 factor authentication should be the way to go but LastPass has this option. While indeed, the reminder cannot be the password itself, we found out that it can “contain” the password. If your password is say, ‘qwertyui’, your reminder cannot be ‘qwertyui’ BUT it can be ‘my password is qwertyui’. This might be because they hash the password so there is no way for them to tell that the sentence contains the password unless they hash the words separately to compare first.

In addition to reconstructing how LastPass’ API calls are made, Vigo and Co. were able to learn a great deal about the browser plugin of LastPass. Using a clever technique, they first learned what each function was actually doing. The plugin library is written in Javascript, “so no fancy assembly here.”

Alberto wrote a small script to help us […] This script would add as the first line of every function some logic to print information about the method itself and the value of the parameters passed. With that, we had a chronological stack of function calls and their parameter values. […] What caught our eye was what was happening when the user would click the option “store password”. This functionality provides the commodity of never having to enter the master password again as it will be populated to the plugin and you will be automatically logged in.

The researchers realized that with a few strokes of the keyboard, using a “metasploit module,” they were able to gather the master passwords of those who’d stored them in the browser. For this reason they recommend against doing that.

Further research has taught Vigo and friends that there are many ways to exploit LastPass, including via cookies.

Our first shot was simply to look at using cookies to obtain the vault key. While this sounds straightforward, because of how LastPass is designed, the cookies will only get you what LastPass stores in their servers, and as you may guess, it does not include the vault key. […] We found that the vault key is actually stored locally encrypted. Where is the decryption key to decrypt the vault key? LastPass has the seed from where we can derive it.

The researchers noted that even if LastPass master passwords are obtained using the methods they have developed, they will be useless in the case of users who’ve implemented 2-factor
Encryption_unlockauthentication. 2FA is a relatively new method of doing web passwords, and there are many ways it is done.

One common way is to send an SMS to the phone number of the account holder with a one-time code. Therefore, if the attacker doesn’t have access to said phone, then that’s as far as they go. The more paranoid will be quick to point out that phones can be obtained, numbers can be hijacked, and so forth. This would be true, but the point is that it creates an additional layer of difficulty on top of LastPass itself.

There were other exploits outlined in Vigo’s most recent post, all of which were disclosed at Black Hat Amsterdam. Particularly interesting is the fact that people are inadvertently sharing LastPass credentials online, as evidenced by searching for “extensions.lastpass.loginpws.”

Hacked recommends the reader take a look at the whole debrief for more information. Specifically, the recommendations made near the end are important:

  • Use the binary version of the plugin
  • Do not store the master password
  • Activate the new Account Recovery over SMS
  • Audit your vault for malicious JS payloads
  • Don’t use “password reminder”
  • Activate 2FA
  • Add country restrictions
  • Disallow TOR logins

False Sense of Security?

LastPass and solutions like it are often presented as if they were impenetrable fortresses, when in fact they are like anything else: software that will eventually have bugs and vulnerabilities, no matter how many audits they undergo. At the same time, using some form of password manager is pretty necessary in an era when the average user will be credentialed on dozens of web platforms, from social media to forums to online banking to health insurance.

The human brain is not as gifted as a computer in retaining data, and so relying on it to keep a variety of secure passwords would be untenable. Despite finding several ways to get around LastPass’ security measures, Vigo closes by saying that password managers are still vital.

Password managers are a great tool that everyone should use. […] I can’t recommend any but make sure you use one!

Vigo also wanted to point that his team has not “hacked” LastPass, but rather done it some favors. This is not just splitting hairs. Hacking would mean they’d found a way to pwn the entire system on the regular, and potentially not told anyone but those willing to pay for access.

Instead, they’ve noticed some significant security flaws and responsibly reported them to the world. It’s the very nature of their career to do as much, and labeling them “hackers” against their will is unfair. As Vigo says:

We have seen media and tweets mentioning that we “hacked LastPass”. We did not hack LastPass. We also don’t feel comfortable with those claims. What we did is find a number of bugs, bad practices and design issues which we used to obtain the vault key and decrypt all passwords in different scenarios. There is no bug-free software and any future research on other password managers would likely have similar results.

Images from Shutterstock.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • Hitoshi Anatomi

    ID federations (single-sign-on services and password managers)
    create a single point of failure, not unlike putting all the eggs in a
    basket. It remembers all my passwords
    when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized
    formation or should be considered mainly for low-security accounts, not for
    high-security business which should desirably be protected by all different
    strong passwords unique to each account.