The other scenario is of course a rogue company employee doing the same on their own. The page can present the user with an “All good, we checked it and your account isn’t affected” message while the NSA walks away with the data. Click to learn more.” Once they click it’s all over, my proof-of-concept successfully downloaded all the data and decrypted it with the key provided. “IMPORTANT: Your Google account might be compromised. It’s not hard to choose a message in such a way that the user will be compelled to click the link, e.g. LastPass data on the server is worthless on its own, but NSA might be able to pressure the company into sending a breach notification to this user. So let’s say the NSA knocks on their door: “Hey, we need your data on XYZ so we can check their terrorism connections!” As we know by now, NSA does these things and it happens to random people as well, despite not having any ties to terrorism. If the user clicks the link here, the keyplug2web API will be unlocked and the page will get access to all of the user’s passwords. There is a “breach notification” feature where the LastPass server will send notifications with arbitrary text and link to the user. This limits the danger considerably.Įxcept that the action isn’t always triggered by the user. And it is unlocked on explicit user actions such as opening Account Preferences. The extension will normally ignore any getdata or keyplug2web calls, only producing a response once after this feature is unlocked. Oh, but the chances of some page within or domain to be vulnerable aren’t exactly low! Somebody thought of that, so there is an additional security measure. Luckily, all of these issues have been addressed and by now it seems that only and domains can trigger these calls. I particularly liked this security issue uncovered by Tavis Ormandy which exploited an undeclared variable to trick LastPass into loosening up its API restrictions. There has been a number of reports in the past about that API being accessible by random websites. The response to these calls contains your local encryption key, the one which could be used to decrypt all your server-side passwords. Not sure how I managed to overlook it on my previous strolls through the LastPass codebase but the getdata and keyplug2web API calls are quite something. ![]() So back in November I discovered an API meant to accommodate this context switch from the extension to a web application and make it transparent to the user. Some other extension functionality is implemented similarly. ![]() For example, whenever you access Account Settings you leave the trusted browser extension and access a web interface presented to you by the LastPass server, something that the extension tries to hide from you. In particular, the decision to fall back to server-provided pages for parts of the LastPass browser extension functionality is highly problematic. However, LastPass has been designed in a way that makes taking this route very difficult. ![]() It is absolutely possible for a password manager to use a server for some functionality while not trusting it. The most severe issues have been addressed, so all should be good now? Early last year I reported a number of issues that allowed subverting LastPass encryption with comparably little effort. The thing is: when your password manager uploads all data to its server backend, you normally want to be very certain that the data visible to the server is useless both to attackers who manage to compromise the server and company employees running that server. The latest one so far looked into the way the LastPass data is encrypted before it is transmitted to the server. I’ve written a number of blog posts on LastPass security issues already.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |