Hacking LastPass.com

The constant threat: viruses, trojans, spyware, ... the list goes on

Hacking LastPass.com

Post by drholmes on Thu Jul 01, 2010 4:49 pm
([msg=41142]see Hacking LastPass.com[/msg])

Hi,

I'm a user of LastPass.com, and there's an issue which I find to be a blatant security problem, but I'm basically getting flamed when I try to discuss it over there. So in this first post in this forum, I'd like to ask the opinion of some outsiders.

LastPass is a password manager where all decryption is local, but is synced to a server with AES encryption. It runs as a browser-plugin. That part is fine.

The issue I'm having is that even though they allow Multi-Factor Authentication, such as YubiKey, you can disable YubiKey simply by clicking in an email that is sent to your main email address. Unfortunately, they refuse to allow this email to be sent to another address, and since you need to have LastPass associated with an email account that you actively use for billing reasons, it means that if you're compromised, I believe that the hacker already has everything he needs to bypass Multi-Factor Authentication, and take over your LastPass account.

When you log into LastPass, you use an email address, which is already printed on the screen, and a password, which you type. It then prompts you for Multi-Factor Authentication (YubiKey), which is checked with the Yubikey servers.

What I'm saying is that if you use a webmail account such as GMail, and you for whatever reason have malware running on your computer, chances are high that you've both had your email account compromised, as well as your LastPass login compromised, since a screencapturing keylogger can easily capture your LassPass credentials, and a man-in-the-browser or some other mechanism can easily take over your email account.

What I'm trying to make them do is either (1) do as eBay, and never print the full email address on the screen, or (2) send the reset-email to another email account than your main one, or via SMS, or via some other channel. Because again, the assumption is that if you have malware on your system, your email will also have been compromised, and then the attacker has everything he needs to disable Multi-Factor Authentication, and then log into your account using the credentials he already has captured.

This is catastrophic, since a LastPass account is likely to hold bank logins, credit cards, server logins, social security numbers, basically your entire life. Given that this attack is untargeted, i.e. the hacker doesn't even have to be looking for LastPass in particular, it could be very devastating.

The arguments coming back from LastPass include:

1.) We're small, we won't be attacked.
2.) Hackers give up after 2 minutes, they won't persevere.
3.) It's just an unrealistic attack, it won't happen.
4.) It's impossible to get anything installed in the browser that will capture your webmail login if the login is done by the password manager, i.e. it's impossible to capture the form submission.
5.) Your firewall will detect the upload of the capture feed.
6.) Your antivirus will catch the install of the malware.

I find that each of these arguments represent enormous denial about reality.

1.) In reality, you'll be attacked no matter what your size.
2.) Hackers don't give up. Many of them are highly paid by organized crime to do this exact work.
3.) It's fully realistic, and is already being done. CitiBank recently suffered great losses from this exact attack.
4.) It seems that if you control the computer, you can install anything anywhere without the user knowing.
5.) The firewall will not capture regular port 80 POSTs. You can easily evacuate data from the computer without triggering a firewall.
6.) Many threats are undetectable when they're new.

Could anyone please tell me where I'm going wrong? I find this attack not just possible, but probable.

Best,

Per
drholmes
New User
New User
 
Posts: 1
Joined: Thu Jul 01, 2010 4:33 pm
Blog: View Blog (0)


Re: Hacking LastPass.com

Post by sanddbox on Thu Jul 01, 2010 5:45 pm
([msg=41143]see Re: Hacking LastPass.com[/msg])

You're going wrong in not ditching a crappy service with an obvious security hole that they refuse to acknowledge.

However, this kind of attack would also be possible if you DIDN'T use lastpass.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2337
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Hacking LastPass.com

Post by Bren2010 on Thu Jul 01, 2010 6:18 pm
([msg=41144]see Re: Hacking LastPass.com[/msg])

drholmes wrote:The arguments coming back from LastPass include:

1.) We're small, we won't be attacked.
2.) Hackers give up after 2 minutes, they won't persevere.
3.) It's just an unrealistic attack, it won't happen.
4.) It's impossible to get anything installed in the browser that will capture your webmail login if the login is done by the password manager, i.e. it's impossible to capture the form submission.
5.) Your firewall will detect the upload of the capture feed.
6.) Your antivirus will catch the install of the malware.

I find that each of these arguments represent enormous denial about reality.

1.) In reality, you'll be attacked no matter what your size.
2.) Hackers don't give up. Many of them are highly paid by organized crime to do this exact work.
3.) It's fully realistic, and is already being done. CitiBank recently suffered great losses from this exact attack.
4.) It seems that if you control the computer, you can install anything anywhere without the user knowing.
5.) The firewall will not capture regular port 80 POSTs. You can easily evacuate data from the computer without triggering a firewall.
6.) Many threats are undetectable when they're new.


1.) It makes sense to weed out the small sites, since they would be less secure.
2.) Whatev. :ugeek: I've spent all day trying to do something that's supposedly impossible. We are a very persistent bunch.
3.) It's obviously realistic if it's happened. Duh.
4.) Of course it's possible. Keyloggers, network sniffers, the list goes on.
5.) Difficult to get by. Even newer internet explorers are good about not letting this happen.
6.) You mean the people who bother to get antivirus?

Anyway, I really wouldn't post the name of the site here, and that you know how to hack them. You'll agitate the locals.
User avatar
Bren2010
Poster
Poster
 
Posts: 340
Joined: Fri Sep 19, 2008 3:23 pm
Blog: View Blog (0)


Re: Hacking LastPass.com

Post by insomaniacal on Thu Jul 01, 2010 6:25 pm
([msg=41145]see Re: Hacking LastPass.com[/msg])

You've dissapointed me drholmes, I came here ready to flash my authority around and lock a thread xD. You're not breaking any rules as far as I can tell though, so it's all good.

I'd stop using the service and make this as widely known as possible, especially among their users. Once they start seeing a couple of people complaining about this, they'll be forced to do something about it.
It's not who votes that counts, it's who counts the votes
insomaniacal.blog.com
User avatar
insomaniacal
Addict
Addict
 
Posts: 1210
Joined: Sun May 24, 2009 10:21 am
Blog: View Blog (0)


Re: Hacking LastPass.com

Post by Goatboy on Thu Jul 01, 2010 7:20 pm
([msg=41149]see Re: Hacking LastPass.com[/msg])

insomaniacal wrote:You've dissapointed me drholmes, I came here ready to flash my authority around and lock a thread xD. You're not breaking any rules as far as I can tell though, so it's all good.

We could always edit his post to make him look bad.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2752
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)



Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests