
Breaking LastPass: Instant Unlock of the Password Vault - sutch
https://blog.elcomsoft.com/2020/04/breaking-lastpass-instant-unlock-of-the-password-vault/
======
Spivak
The short version: LastPass doesn't use the login keyring to save the master
password when it's saved opting to instead store it in a local file.

I think it's funny that these things are considered vulns since I can't even
count the number of random dev tools (hello awscli that needs a 3rd party
wrapper to use the keyring) that need password and keys just lying around in
plaintext files.

Filevault, Bitlocker, and LUKS are the only real defense against this sort of
thing since once you hijack a logged in session the best you can do is make
attacks harder, not actually stop them.

~~~
abjKT26nO8
As far as I understand, Apple's Keychain lets you save passwords and then
grant access to them on per-application basis, instead of leaving them lying
in text files for any program to read. Could anybody confirm that? I've never
had a Mac, but I've been thinking about this issue for quite some time.

(EDIT: TFA doesn't clarify that.)

------
op00to
Only exploitable on Windows, using the Chrome app, if you save your password.
Attacker needs file system access.

~~~
paco3346
My understanding is that this is exploitable on any machine using the
extension (so Chrome or any other Chromium based browsers) regardless of
operating system.

~~~
0xff00ffee
I don't understand how their "magic cracking tool" manages to crack AES256 "in
a few seconds" regardless of the length of the password. Poorly written
article. The PDF they link to is more interesting.

From their website:

"Reveal Stored Internet Passwords

Elcomsoft Internet Password Breaker instantly reveals Internet passwords,
retrieves login and password information protecting a variety of Web resources
and mailboxes in various email clients. The tool instantly extracts passwords,
stored forms and AutoComplete information in popular Web browsers, and
captures mailbox and identity passwords from popular email clients."

...instantly?

------
PikachuEXE
I bailed from it when it was acquired by a PE But still good to know it's
insecure with proof!

------
anon-kun
Who would have thought that saving all your passwords in a Browser (Extension)
is a bad idea...

~~~
gatestone
Who would have thought, that if you let your software to remember your
password and use it automatically, it must store it somewhere?

The criticism of not using the Windows API for storing secrets is valid,
though, but it still does not help if you, and the malware you run, are logged
in.

