LastPass Master Password Can Be Decrypted

[Matsuda]

Under certain conditions, an attacker could obtain the LastPass master password of a victim by tricking them into running a malicious payload that could go undetected by some antivirus products.

During the DefCamp 2014 security conference in Bucharest, Romania, over the weekend, security enthusiast Alex Balan showed how a clever combination of security tools could offer an attacker a way into the computer of a victim, despite the watchful eye of a fully updated antivirus solution.

Clever planting of the malicious payload

He used Ettercap, Burp, the Backdoor Factory (BDF) and Metasploit to prepare the malicious file, drop it on the target system and extract the sensitive information. After hijacking the connection of the victim machine, Balan noticed the update queries from Samsung Kies, an application used for synchronizing smartphones with the PC.

The interesting part was that the query was in plain text, which allowed manipulating the information through a man-in-the-middle attack, and there was no validation mechanism, thus permitting serving a file from any machine.

Using Burp, the researcher managed to replace server replies with a message of his own, informing the client that a new update was available from a local machine. Preparing the malicious update carrying a Metasploit payload was done using BDF. The researcher injected the payload in a legitimate Kies update binary, in empty areas called “code caves.”

The hardest part of the experiment called "Owning the Girl Next Door" consisted in finding the right place to inject the shell code so that it is not easily detected by an antivirus; some products were able to identify the tampered Kies update as a potential threat.

Most of the downloads happen over HTTP

The result was a maliciously crafted Kies update that would install without triggering the up-to-date antivirus on the target machine. The installation of the update proceeds normally and the user can benefit from the software version pushed by the attacker.

However, the payload is also executed and the third party gets access to the computer and the plain text sensitive data stored by the LastPass browser plug-in. Important to note is the fact that the Metasploit module used only works if the “store my password” option is enabled.

LastPass relies on encryption to protect its data, and the same goes for the master password stored locally. However, the authors of the Metasploit module discovered that the process relied on weak encryption (AES 256 in CBC or ECB mode); next, they determined how it worked and created a script to reverse it.

The whole purpose of a password manager is for the user to remember one string of characters that would allow access to the usernames and passwords for other online services. After discovering the issue, the authors of the module (Martin Vigo, Alberto Garcia Illera and Jon Hart) contacted LastPass privately and now the user is informed that storing the password locally is not a safe option upon enabling it.

Samsung Kies was selected for the purpose of the experiment because it was easiest to hack, but there are numerous other applications that can be used. Balan said that more than 90% of downloads occur over an insecure connection, and in many cases there is no validation of the file and its origin; alternatively, sometimes the validation checks are also sent via plain text and can be spoofed by an attacker.

Someone determined to compromise a computer could analyze the traffic from the target and devise a trick for delivering a malicious payload.




Original Article

[Ponting]

http://www.martinvigo.com/a-look-into-lastpass/

[dcs18]

Every once in a few years something like this comes up about LastPass - brings relief to be running RoboForm. :showoff:

[software182]

yolo

[CODYQX4]

Every once in a few years something like this comes up about LastPass - brings relief to be running RoboForm. :showoff:

Now I don't know the relative levels of security, I myself am switching from LastPass to 1Password, but I'm 100% positive that any app including Roboform can be hacked by "tricking the user into running a malicious payload".

The real weakness here is that the AV can be dodged, and AV will always be steps behind the latest malware.

[dcs18]

Every once in a few years something like this comes up about LastPass - brings relief to be running RoboForm. :showoff:

Now I don't know the relative levels of security, I myself am switching from LastPass to 1Password, but I'm 100% positive that any app including Roboform can be hacked by "tricking the user into running a malicious payload".

The real weakness here is that the AV can be dodged, and AV will always be steps behind the latest malware.

The final vulnerability is not in accessing the password - but, in the insecure way that LastPass seems to store it.

As far as the weakness is concerned, I am surprised the Researcher makes mention of the AntiVirus part of security which to my mind is of secondary concern. The primary concern should have been, IMO - the firewall (AntiVirus is far more easily deceived than the firewall.)

Moreover, the AntiVirus layer comes into action only later in the day - far behind the front-line firewall layer of security.

Now, leaving aside technicalities - LastPass is the one (and only one) which is being reported as the victim of these exploits. Personally, if RoboForm were to be found wanting, too - I would ditch it.

[shorty6100]

Sticking with LastPass. Never had an issue.

[davmil]

Sticking with LastPass. Never had an issue.

I like LastPass too, but they, & we must remain diligent and keep up to date or part ways. IMO - don't get married to any software, they would sell you for a dime. Always remember that.

[mr47]

Does the browser provide any extra security against such threats?

i.e does it make a difference to use palemoon vs firefox.