
PSA: LastPass Does Not Encrypt Everything in Your Vault - kobayashi
https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032#
======
astral303
I think this is NOT the case.

You are looking at intermediate data of what's stored in your decrypted blob.
Yes, some things are encrypted twice in the Lastpass vault.

The contents considered "unencrypted" by the blog post are actually only
accessible after your private key has been provided.

"How can Lastpass show me the Google logo?" It's shown by your Lastpass
Extension, after your vault has been decrypted with your password. It's the
same reason that Lastpass can show you the password saved for Google!

Notice that request has an unencrypted folder name, "Email." Those folder
names are only accessible after the decryption of the entire vault.

URLs are encrypted. LastPass does not know your URLs.

I noticed the article does not include the destination URL for this request,
only the parameters. So I can't make a determination as to why this request
was made and who the destination server is.

I just tried adding a new site to the "Email" folder, and no requests to
remote servers showed up in my Network tab.

IF the LastPass extension really does make a call to lastpass.com with this
information, then, yes, there is a possibility that Lastpass can track these
hashes in some separate store. But that doesn't mean that the encrypted vault
blob has the unencrypted data as claimed.

~~~
jzl
Agreed that the vault blob almost certainly hides all of this, but the
question still remains about how the logo is initially obtained. There still
might be a leak to lastpass when the logo url is first requested.

And if the extension is pulling the logo from the web then there is also a
leak to each site whenever it pulls (rather than to lastpass itself).

Best case scenario: the extension comes with a list of the most common logos
baked into it. But if that's the case, why would it save a logo url. Hmm ...

I'm pretty sure we'll be hearing back from Lastpass on this one.

~~~
pvg
_there is also a leak to each site_

That's not really a leak unless you're keeping a password to some site without
actually using the site and don't want the site to know you've done this. But
that probably doesn't come up often in practice.

~~~
jzl
Well, sure, but any out-of-band communication is potentially a leak. If the
extension pulls every logo whenever you run it (notwithstanding whatever
caching is used, if any), then every site that has a logo could track when you
open the extension at all. There are other potential issues here too ... like
if a maliciously formed logo image could be used to crash the extension, etc..

Those aren't great examples, but any out-of-band information leak is a bad
thing to have. Even if there are no known exploits now there might be future
exploits that haven't been anticipated. A common issue when it comes to
security.

~~~
pvg
How can the site tell you're using the extension? And so what if it does? The
site can guess you're using a password manager by noticing the instant
password entry. The malicious logo, that's really a problem for your browser
to deal with. Using an extension to help you talk to a site you already talk
to is not really a leak, given the purpose of such extensions.

~~~
jzl
A lone request for the logo image with no other simultaneous requests in the
log could probably be gleaned as a lastpass extension lookup.

And again in this scenario (which we don't know if it's accurate, yet) it's
pulling the image for every site with a logo whenever you browse the vault. So
your IP address could be leaked to a site that you don't want to know your
whereabouts at that moment.

Forensic information is forensic information. A security-conscious tool should
not be increasing one's forensic footprint.

------
AdmiralAsshat
Back to the Metadata problem. Here's how this information could be weaponized:

NSA: LastPass, we suspect that John Smith uses your service. Give us access to
John Smith's password database.

LastPass: We cannot, all of John's usernames and passwords are encrypted and
we ourselves don't have the key.

NSA: Alright, then, give us the _websites_ for which John Smith's database has
credentials for, and we'll subpoena each website of interest individually.

If John Smith has known email address JohnSmith@gmail.com, it is probably safe
to assume that the email is the login for at least some of the websites of
interest, and can then ask each website for info on that particular user.

~~~
valarauca1
Your tin foil hat is on a bit too tight.

    
    
        1.
    

The NSA already has that data they have your home address (this is public) and
can see you connect to gmail servers at times you are normally home for. We've
already seen evidence this is well within the NSA's capabilities based on the
Dread Pirate Robert's trial.

    
    
        2.
    

LastPass's RNG is closed source so if your threat model includes the NSA
you've already lost as it is very reasonable the NSA knows every password
LastPass could ever generate for you.

    
    
        3.
    

LastPass's encryption/decryption is ALSO closed source so there is no reason
the NSA can't just subpoena them to update your client with a faulty crypto.

    
    
        4.
    

LastPass Apps/Browser phone home once unlocked. If subpoena by the NSA they
can steal your password there.

Seriously if you have a threat model that includes the NSA you've already
lost.

~~~
dublinben
DPR had terrible OPSEC. We should all learn from his failures.

You are completely correct that any threat model that includes direct
attention from the NSA is insurmountable. Even highly skilled targets like OBL
are eventually defeated.

~~~
Bartweiss
OBL seems like an odd example for "insurmountable". He was probably the target
of more US gov't attention than anyone else who isn't running a country. After
more than a decade of active pursuit, he was compromised by a largely non-
digital security breakdown.

I agree with the general point about direct attention, but OBL seems closer to
the exception than norm.

------
martey
Is there is any proof that the "Concerned LastPass User" who wrote this isn't
just the creator of BitWarden?

I normally don't assume astroturfing without concrete evidence, but there is
no information in the post that explains why the author is anonymous and the
creator of BitWarden has previously made comments without disclosing their
affiliation
([https://news.ycombinator.com/item?id=12754396](https://news.ycombinator.com/item?id=12754396)).

~~~
mikeash
Does it matter? If the claim is true, then it's a serious problem. If it's
untrue, then the article is wrong. Neither one is changed if the author is a
particular person.

~~~
holtalanm
I really don't see how this is a "serious problem".

The only thing unencrypted is the site's domain name. Who cares? Site domains
are public anyways.

Definitely two opinions on this matter, I suppose. But for me, I really don't
care that they don't encrypt the domain names for the sites.

~~~
rocqua
Metadata matters. The NSA revelations have shown this.

For a really simple example, I guess there are quite a few people with a
pornhub account in their vault. I'd guess a significant portion of those users
don't want that fact to become public.

------
Flimm
LastPass is so buggy, I have a draft blog post that I'm going to publish some
day listing the dozens of bugs I've found. It's still the least worse cross-
platform password manager (with sharing and sync features) that I've tried.

Bitwarden looks interesting, but it doesn't seem to support team features, nor
does it seem to have any documentation, or even an "about us" page.

~~~
jerf
I'd either need Bitwarden to take some money _or_ be fully open source and I
have to provide the cloud storage. Being "free" but still clearly costing them
real operational money (even if not much) is not something I will plan on
being there in 5 years.

I don't necessarily _need_ LastPass to be there in 5 years, since I can export
and recover what I need into another manager if I need to, but I personally
don't want to go into something that is set up right now to not be there in 5
years.

This is not a permanent objection forever and ever, amen. If my objections go
out of date, I'd consider at least trying it.

~~~
xxkylexx
Hi there. I'm the lead developer of bitwarden. bitwarden is currently
sponsored by the Microsoft BizSpark program which covers many of our operation
costs and allows us to offer services for free to our users. We are working to
introduce enterprise features for businesses in the future which will allow us
to monetize. For now though, everything is free for users.

~~~
evaluniverse
Can I suggest that you explain this on the website? I visited, could see that
you had a cloud sync but couldn't see how you make money and left because it
didn't add up.

------
mulrian
I don't see this as much of an issue personally. I don't ever store any
identifying information in urls, so it's more of a convenience to have the
logos for easy navigation.

I get that they say that _everything_ is encrypted, but really it could be a
lot worse. I definitely won't be switching password managers just because of
this like some people are saying.

~~~
010a
Its a pretty huge deal if you store passwords for websites that you don't want
other people to know you even have an account for. Like, say, a dissident in a
politically oppressed country having an account for the US immigrations
website.

------
tscs37
Well, I'd love to use something other than Lastpass but there are no other
password managers that are as well integrated into chrome and that sync
seamlessly.

Keepass had tons of issues on the synch-side, merging incorrectly or just
plain not syncing in addition to the android app being horrible to some
extend. Additionally the chrome plugin is less well written, it's not bad but
not as easy to access as lastpass.

1password is still not out on linux and I have no intention of using them
until they bring out a linux client.

Bitwarden looks fishy to me (audit? pricing? funding? integration?).

If the only problem with Lastpass is that they sent out the URL of the site in
cleartext over a HTTPS connection, fine, have it, there is clearly worse and
it's something I'm willing to accept in exchange for one of the better
password managers.

~~~
jasikpark
Have you seen enpass? It is basically a more polished version of Keepass.
[https://enpass.io](https://enpass.io)

~~~
tscs37
enpass certainly looks interesting, the UI looks atleast as polished as
lastpass. I'll give it a short drive.

Thanks for sharing.

------
mistercow
This doesn't seem like a terribly important information leak, but what gets me
is that they obfuscated it by converting it to hex. Why do that?

On the one hand, it feels like they're being sneaky and trying to trick
savvier users who might glance at the data to make sure it "looks encrypted".
On the other hand, they have to have realized someone would notice eventually.
Or maybe that's the point: if they obfuscated it well, someone would break it
and they'd have egg on their faces. By just hiding it a little, they have
plausible deniability that they weren't trying to obfuscate.

But any way you slice it, it seems weird.

~~~
daveFNbuck
It's probably just easier to convert it to hex rather than worry about
escaping characters. I've done that before.

~~~
mistercow
Yeah, good point, although URL escaping is particularly easy.

------
jogjayr
Stupid question: why can't LastPass encrypt the URL as well and decrypt
client-side to show the logo, like they do (as I understand it) with
passwords?

~~~
chaosfox
that seems a better solution, but lastpass would still know that user_x is
downloading the google.com logo.

~~~
jogjayr
How? The logo image request goes to google.com then, and not Lastpass, right?

~~~
chaosfox
I am assuming lastpass have the logos on their domain. if the request goes to
google.com then its fine as long as the referer isn't sent.

------
jenoer
Perhaps a silly question as I do not have a lot of experience with software
like this, but:

What prevents Lastpass, bitwarden or any other third-party to update their
software (and/or compromise the download server) to synchronize all
information un-encrypted in a new version which is auto-updated by the user?

I currently use KeePassX, and synchronize this file with a secure server
myself since I feel uncomfortable with having software that handles the
encryption also controlling the synchronizing service.

~~~
sliken
Two fixes: 1) find an opensource one, compile it yourself, verify it's
behavior, install it yourself 2) find one that works without using network,
don't approve adding network permissions ever, run it in a jail without
network, on android you can deny the network permission.

This works again random software companies, but not against google.

------
mnm1
Lastpass is an atrocity to software. In almost a year using it (including its
"Premium" version), I was unable to get their password change feature working
and it was often unable to remember passwords properly. I would change the
password, Lastpass would show the right password in its UI, then it would use
the wrong one. This is the most basic feature of a password manager and it
simply doesn't work. Their support, even for the paid version, might as well
be a bot that just spits out random Lastpass "facts".

I see a ton of reviews all over the Internet claiming it's one of the best
password managers, and I wonder if these reviewers and websites didn't just
get paid some money to write a positive review without ever installing, let
alone using the software. With the software being so shoddy, I would not trust
my passwords to Lastpass even if they ended up fixing the UX. I ended up
deleting my account and switching to Enpass which has worked flawlessly. On
top of that, I don't have to trust Lastpass, or any shitty company like that,
with my most valuable data and can sync it over WiFi, my NAS, and shared
folders in addition to cloud providers (also works in Linux).

------
CtrlAltT5wpm
I've been using LP as a paid user for several years now, and was really
annoyed when they were absorbed by LogMeIn. My main issue is this: while there
are several alternatives to LP, there don't seem to be as many which have the
same or similar features while ALSO integrating YubiKey's OTP functions. I
bought a YubiKey because of LastPass, and slowly integrated it into my
workflows. I really like it as a second factor, and the additional
capabilities (such as storing secrets for TOTP, etc.) make it nearly
indispensable.

Last I checked (over a year ago), 1Password wasn't terribly interested in
adding it as a feature, and while there was a KeePass extension which
implemented HOTP-based 2nd factor, I never got it to work reliably. Is there
ANY service which integrates the YubiKey as well as LP does? I'm more tied to
that than I am to LP.

 __Unrelated to the initial post, but here 's a recent LP annoyance: on
January 9, LP pushed an update to the Chrome extension which broke the version
3.0 view (which looked like a filesystem), forcing users to move to their 4.0
view if they wanted to use the extension. According to a user commenting on
the support tab in the Chrome store, "you deleted the min.js file from your
extension but your lastpass version 3 view still needs this file. cant even
manually copy it back because chrome then thinks its malware. keep up the good
work!"

I can't speak to the veracity of the comment, but LP's forum was pretty
active, and admins essentially said "don't use 3.0" as a fix. Support tickets
mentioned they were aware of the issue, but not much else. To be fair, LP did
say they would eventually deprecate the 3.0 view, but there was little
communication about the recent update, making it seem like they don't really
give a shit. I don't like their 4.0 view; it's less efficient, and more
interested in making things look pretty.

------
smnscu
As someone who's worked in this domain, I found this very poorly handled. The
obvious, privacy-conscious solution, would be to embed all logos in the
client, but this can be unfeasible on the web, depending on the quantity of
data. In practice, maybe sacrificing a couple of MB for a one time download
isn't such a bad trade-off for privacy (and this will only happen for logged-
in users who visit their vault).

However, if we want to trade off _some_, but not all privacy (in terms of what
logins a vault contains), I can think of a naive obfuscation scheme where
random domains are added to a login alongside the real one. Here's how that
could work:

    
    
        Preprocessing
        * assign an order to the logos and hence numerical IDs
        * pick a hash function (URL / site name) => ID
    
        User adds a new login:
        * is the URL recognized (e.g. accounts.google.com) i.e. do we have a logo for it?
        * if yes, obtain its ID e.g. 1
        * get N more random IDs e.g. 14, 124, 144
        * save all of them as the login's metadata e.g. "logo_cache:1,14,124,144"
    
        User requests logins (and hence needs logos):
        * compute (and cache) the list of IDs of logos needed (M entries x N logo IDs each, deduped)
        * pack and send the logos (hopefully a much smaller subset than all logos)

------
mikeash
It's really weird that the URL parameter is encoded as hex. Is this some
attempt to hide it, or just a lazy programmer not wanting to call an escape
function?

------
bearcobra
I got a license for 1Password Families in a Humble Bundle recently and have
been seriously considering making the switch from LastPass. The LastPass
Chrome extension gets disabled on me once or twice a week and has become a
real annoyance. The only thing holding me back is the ongoing pricing for
1Password is 5x more than LastPass.

------
asdz
I'm an ancient Lastpass user too. But I don't think the unencrypted URL
worries me.

If any 3-letter agency want my history, they can just visit anyone in between
me and the URL.

My browser have my browsing history. My ISP have my browsing history. DNS
resolvers have my browsing history. CDN have my browsing history. Proxy/VPN
have my browsing history. (which some they claims they don't log at all)

Basically browsing history is too accessible to anyone. If you are using
network that doesn't managed by you, they have your browsing history too.
(McD, Starbucks, etc)

And last again like others+Lastpass have commented, your whole pile of
encrypted data is encrypted together and sent to Lastpass. Did you try to read
your Wireshark?

------
dbg31415
I really like a lot of the features of LastPass... works across devices, has
groups with sharing options for teams, security audit and summary, auto
updates (on some sites), 2FA, and the dead man's switch is nice...

I haven't found any other services that work as well for teams with features
like this. I've tried 1Password and some others and found their team sharing
options lacking.

Curious what other teams are using -- not just personal password managers but
tools you can use successfully over an entire organization.

------
acejam
I've heard many bad things about LastPass - and this is just the cherry on
top. I highly recommend 1Password to everyone. I've been using it for about
2-3 years now and it's been absolutely flawless. Yes, it doesn't have a Linux
client, but that's literally the only "drawback" I can think of. As a
developer who uses a Mac, the only time I'm on Linux is when I'm SSH'd into a
server.

~~~
dkonofalski
It does run just fine in Wine, though. I've got a Ubuntu box that's been
running it with Dropbox and it syncs and runs just as well as my Mac version.

------
circa
I ditched LastPass after LogMeIn acquired them. With all of the bad press that
company has had over the years it was enough for me to move on.

For the most part I am happy with Dashlane and pay for it annually. Sometimes
when chrome or firefox update it take a while to load the browser plug-in.
other than that I have few complaints.

Anyone else use Dashlane or something similar, other than LastPass?

------
cheez
I had the same reaction when I saw the Google logo in my vault: "how do they
know?"

~~~
astral303
The vault is a local extension. It does not run off lastpass.com, unless you
actually log into the website-based online vault.

~~~
cheez
Good point. I rarely, if ever, use the website

------
mercnet
Anyone have recommendation for replacing Lastpass? I need support for Android,
Linux, and Windows. I would like to be in control of my data if possible (sync
to cloud) and a nice to have would be a browser extension for autocomplete.

~~~
invokestatic
KeePassX - I've been using it for years now. I just put the database on my
Dropbox. Quick, convenient, and most importantly for me, always in my own
hands.

~~~
2bluesc
I've used KeePassX for offline/cold storage for years. I like KeePassX so much
wrote a YubiKey extension [0] years ago but it was never merged. I assume the
maintainer wasn't interested, never responded, but allowed the discussion to
continue. Turns out this was more the norm than the exception, I assume the
maintainer was too busy or lost energy/interested in maintaining what became a
big project.

Years later KeePassXC[1] was forked and slowly growing.

[0]
[https://github.com/keepassx/keepassx/pull/52](https://github.com/keepassx/keepassx/pull/52)

[1]
[https://github.com/keepassxreboot/keepassxc](https://github.com/keepassxreboot/keepassxc)

------
gleb
If they have access to URLs that's even more bad than it seems. The URLs are
often registration form urls and can have secret data as url parameters.

LastPass needs to comment on this. It looks pretty bad.

------
zeveb
The (otherwise excellent) Password Store program effectively does the same
thing.

Folks, encrypt _everything_. Anything less is profoundly foolish.

------
EGreg
I have a question to all the hackers here about personal identity managers and
UX. There are projects to decentralize personal identity and move away from
passwords, such as Solid ([https://solid.mit.edu](https://solid.mit.edu)) and
our own project, Qbix
([https://qbix.com/platform](https://qbix.com/platform)).

The WeChat article recently posted shows one major thing about user behavior
and UX architecture. Users actually prefer to have one APP on their phone
representing their social identity, have all their notifications, contacts,
etc. from all different communities in the app.

So this probably means that the "personal identity server" should have some
default protocol to receive notifications (encrypted with user's public key)
and an APP for iOS and Android. The server would have rules for processing
notifications and may notify the user (eg it may stop after the first 5 or set
do not disturb where only the badge updates). Upon opening the app the user
would see all the notifications from all the other services (they would be
fetched and decrypted). And those notifications may contain deep-links back
into flows that generated the notifications, eg a chat.

What is also nice is if you can have these rules be general purpose hooks that
run on the client in some isolated JS environment. Then for example you can
update the list of ids that a user's contacts have on different services (if
you have pairwise anonymity) in the background. And next time you visit a
website the auth extension/library/app can offer to connect you with those
people on that website.

I think the Personal App should display badges corresponding to the # of
websites that have caused notifications, not the # of notifications. The
latter should appear only when you open the app and see the list of relying
party websites. Then each website can have a # of notifications next to it and
the can be sorted eg by most recent or most urgent notifications.

Last thing - by having a personal APP I have a feeling that it would also be
tied in with payments in the future. Identity service is becoming tied with
payments (to prevent fraud, China now ties the two together more than any
other country and cash is disappearing). So the Personal App could in the
future have some standard for attaching payment methods and using them without
giving the relying party anything except tokens representing payment plans the
user agreed to (like Stripe does).

In this way, even though payments are increasingly tied to identity - which
may lead to fascism - we can empower local communities to control the identity
and maybe in the future even issue their own money on their own credit! This
may help finance loans for poor people in India etc. (already shown that
having a large group guarantee loans works better for everyone due to social
factors etc.) and pull people out of poverty faster. @mediaprophet what do you
think of these points about integrating payments inside identity App in the
future?

(By the way I say community because you may host your own data AND your own
identity on your own server but when it comes to reputation and payments,
there has to be some others who give you this value. Maybe it will not be
communities. Maybe it will be completely distributed with no centers. But so
far in history, wealth and reputation and power has always found a way to
concentrate itself at least a little.)

------
lima
What's wrong with Chrome's built-in password manager nowadays?

~~~
beambot
Anyone with access to your computer can look at the plaintext passwords in
Chrome just by going to settings > passwords > show.

It's been a long-standing dispute... Chrome says "if people have physical
access, security is broken anyway." But that's because they refuse to
acknowledge the lesser threat model; "A non-tech savvy friend or family member
borrowing my computer for 20 min" -or- "my computer gets stolen from my desk
while I was logged in... and now they have access to all chrome passwords in
plaintext."

It's infuriating. Wish they'd fix that, even if it's a superficial fix.

~~~
holtalanm
Not on windows. On windows is requires your windows password to unlock your
passwords.

Actually, I think it does that on Mac OS too.

Don't know about Linux, since I haven't tried it.

~~~
drdaeman
It has support for Gnome Keyring or KWallet (IIRC, default is `--password-
store=detect`). If you're using either, then it's the same.

~~~
lima
Yes, it's using the gnome-keyring which requires unlocking. How is this less
secure than using LastPass or KeePass?

------
valarauca1
The article is 504'ing

Did they delete it?

~~~
msimpson
Medium is having issues:
[https://medium.statuspage.io/](https://medium.statuspage.io/)

------
elastic_church
"I wonder what the Federal Trade Commission thinks about that claim"

Would be my reply to the email, coupled with my demands.

