Experts Find a Way to Gain Unauthorized Access to Your LastPass Password Vault

Two security researchers have revealed that a multitude of design flaws and questionable security measures have shown popular password manager LastPass to potentially expose users’ passwords.

Martin Vigo and Alberto Garcia Illera, two security researchers working at Salesforce have proved nothing is un-hackable by revealing an exploit to obtain the decrypt key required to access LastPass’ vault. The exploit and the reveal was a part of a presentation during the Black Hat security conference in Europe last week.

The Spanish researching duo have also published their findings in a comprehensive blog post.

The two researchers found a way in which the attacker could bypass two-factor authentication and take advantage of the “account recovery” feature that comes with LastPass, granting an attacker the means to access a target’s vault. This comprehensive exploit does not even require the master password for the vault, the researchers discovered.

The Means to Bypass LastPass’ Security

The duo investigated exploits in three differing scenarios, namely:

  • A direct method where an attacker gained access to a target’s computer.
  • An attack that aimed LastPass servers directly.
  • An attack wherein the malicious actor improvises to find ways to breach LastPass’ security with his or her social engineering skills and connection to the internet.

The first case, involving an attacker gaining access to a victim’s computer could lead to disastrous results. Since LastPass stores a user’s master password locally with lowered encryption, Garcia and Vigo were able to crack it with ease. Alternatively, those who opted out of saving passwords locally would still be vulnerable due to cookies used by LastPass that would be available for cross-referencing by the attacker.

The second instance could see a potentially disgruntled employee or a government agency engaging in mass surveillance strike where it hurts. While LastPass encrypts passwords, it does not encrypt URLs which leaves a user’s browsing habits open for discovery by an attacker.

The final phase, with an attack over the internet showed that the white-hat duo were able to use Firefox to isolate LastPass credentials for end-users who used the browser and the program. Firefox, unlike other browsers, does not use Sqlite databases for storage. This leaves LastPass credentials stored in a prefs.js (javascript) file where default Firefox settings and configurations are preserved, including the LastPass credentials.

The two researchers notified LastPass of the exploits before the duo revealed them in the conference and LastPass has successfully fixed most of the bugs.

The duo added:

Even though we exposed weaknesses in LastPass, it is still a solid tool.