
Discovering LastPass shared passwords - zdw
http://changedmy.name/2013/10/26/discovering-secrets.html
======
UnoriginalGuy
Cannot argue with the results. The whole concept is "impossible" to begin with
since even if LastPass hid the content for the development bar (on the
LastPass UI) they would eventually still have to submit it to the third party
site and you could use the Network tab to grab the raw HTTP request right out
of the air.

So I am fine with this weakness. It doesn't impact their core product. This
feature is still vaguely useful for less technically literate people, but
maybe needs some kind of disclaimer.

~~~
giovannibajo1
Agreed. On the other hand, I've used it to share passwords with non-geeks, and
I wouldn't expect them to be able to retrieve it just with the Chrome
inspector. That is the surprising part of the article, at least to me.

I would like to see at least that part fixed, anything else is fine by me at
least (if you want their browser to login, the password has to go through the
network at some point, so there's really no news here).

~~~
jrochkind1
Non-geeks probably don't know how to use the chrome inspector, right?

Well, they do if they find instructions to follow to do so to retrieve a
LastPass shared password.

I would expect that, no matter how they try to obscure it, it will be
retrievable even by non-geeks who find and follow specific instructions to
retrieve it.

So I'm not sure how much development effort it's worth to try and obscure it
further -- if that's even possible.

LastPass probably ought to be VERY very clear that it's merely slightly
obscured, not truly protected, from someone you share it with. Mainly because
if someone is confused about this, when they find out it's less protected then
they thought, they may begin to doubt LastPass's security in general.

If I were LastPass, I'd _reduce_ the level of obscuring going on, to try to
make it even more obvious that a shared password is not protected from the
sharee.

~~~
giovannibajo1
IMHO LastPass is clear about it. They say: "Savvy end users could potentially
access the password if they capture it using advanced techniques during the
login process". I think this sentence conveys the correct meaning to most
people reading it (programmers should understand that the feature is not real
security just upon seeing it).

I agree that most end-users won't know how to use the inspector, but that's
really two clicks on a window of their browser. The blog also goes the
complicated way with javascript, but the easiest way (also mentioned) is
really really easy: right click on the password, inspect element, click on
"properties", scroll down.

Using wireshark or modifying /etc/hosts with a custom html file is surely more
complicated.

------
borisjabes
We do this differently at Meldium (YC W13) and reliably provide a way to share
passwords without end-users seeing them. The login occurs on the server side
and only the session is transferred to the sharee's browser. Thus, the
password is truly never shared or sent down over the wire.

~~~
ryanto
This is interesting and certainly solves the problems mentioned in the
article. However, it does introduce a whole bunch of new attack vectors.

Have you thought about the idea of selling the product as a machine that
clients can run in house? Something that is only accessible to them, similar
to how GitHub enterprise works.

~~~
borisjabes
We definitely intend to provide the secure vault component as something you
can host internally (exactly like GitHub Enterprise).

------
STRML
This points to what is actually quite a large problem with the LastPass vault.
A lot of people I know (myself included) keep the password saved on the vault,
so that it will offer to AutoFill/AutoLogin when you visit a site you have an
account on. It then is set to re-prompt for the master password to actually
fill or reveal the site's password.

Unfortunately, passwords are retrievable out of the LastPass vault in exactly
the same way as in the article. It is trivial to simply inspect the DOM and
pull them out with some basic JS. This is unacceptable IMO and must be fixed;
LastPass is barely functional if you don't keep it logged in. But if you do,
all it takes is a right click and a few keystrokes to reveal each password.

I feel a lot worse about this product, now.

~~~
ams6110
In what way could any password manager both auto-fill login fields on a web
form and also prevent DOM inspection from revealing the password? It seems
flatly impossible to me.

~~~
mschulkind
This is not what is being claimed here.

I do the exact same thing STRML with my lastpass vault. Lastpass has a bunch
of fine grained access controls for when the password needs to be entered.
Having your password saved on lastpass just lets you view your list of
password, as long as you have it set to require the master password before
accessing an individual password.

Here is how the process goes for logging into a website with these settings:

1) Go to website

2) Click autologin

3) Type your master password

4) Lastpass fills in your password on the website and logs you in

This clearly involves your master password before doing anything that would
seem to reveal your individual website password. The problem here is that this
would appear to be completely false as the article points out.

Another way to get the password in lastpass:

1) Open the lastpass vault

2) Search for the target website

3) Click edit

4) Click the eye icon to show your password

5) Type in your master password

6) See the password

Once again, exactly as you'd expect, and seems to require the master password
before revealing anything. The problem is that you can replace steps #5 and #6
with (in chrome):

5) ctrl-shift-j (brings up dev console)

6) $('input[type=password]').setAttribute('type', 'text')

And now your password is sitting there in plaintext without ever requiring
your master password, despite telling lastpass to require your master password
for any password access.

I agree with the rest of the commenters that sharing a password with someone
and expecting it to remain secret is a bit foolish, but the problem I
described here is a HUGE vulnerability. I'm going to seriously reconsider
using lastpass ever again.

~~~
city41
So the LastPass vault itself is a web application? If that is the case, I'm a
little flabbergasted.

I use 1Password (not associated with them at all, just a reasonably happy
customer). The 1Password app is a native application which as far as I know
has no vulnerabilities like this.

------
troupe
I always assumed that the option only determined whether or not they were
given the ability to click and view the password in the LastPass UI. The
password must necessarily exist on their computer in an unencrypted state in
order to fill out a login screen. It seems really strange to me that people
would assume there was a way for it to be securely hidden from the user.

Either way, sharing the password assumes that you are giving them the ability
to login to your account. If the person you share with wants to give the
password to someone else, it doesn't matter if they can see it or not. They
can just share the password to their LastPass account. In other words the fact
that they can see the password doesn't change anything from a security
standpoint.

I suppose the one exception is a situation where you wanted to use the same
password for your email and your bank and only wanted them to share access to
your email but not let them see the password so they couldn't log in to your
bank. This has a lot of security problems even if you aren't using LastPass or
sharing your passwords. LastPass does warn you not to use the same password on
multiple accounts unless you explicitly turn the warning off.

------
300bps
I use KeePass with a password vault stored on SkyDrive but I would _never_ use
LastPass. The web browser opens up so many attack vectors that I don't trust
anything they do.

I know one person that used to use LastPass. He was a coworker that would
utilize it on a shared terminal server and he would select the option to
remain logged in. I logged in as me on the terminal server, copied his Chrome
cookies file to another account and was immediately able to log in as him to
LastPass and access every single one of his passwords. He deleted his LastPass
account that day.

There are plenty of ways to address this and other inherent security issues
with it but I don't see evidence that the majority of non-technical LastPass
users are utilizing any of them.

Here's a discussion that I found about the issue I discussed on LastPass'
forum:

[https://forums.lastpass.com/viewtopic.php?f=6&t=33329](https://forums.lastpass.com/viewtopic.php?f=6&t=33329)

~~~
gregd
So this "one person" deliberately made his LastPass account insecure by
selecting "the option to remain logged in" on a "shared terminal server" and
it's the fault of LastPass?

Sometimes you simply can't protect end-users from themselves.

------
jtheory
This sounds like the kind of "security" feature that will show up on a
criminal court case in the future -- that's why I don't like it.

Think about how easy it will be for a company to prosecute the "hacker" who
was able to circumvent the security of highly-reputed LastPass to do whatever
minor thing they did. LastPass uses strong cryptography and blah di blah blah,
after all, so this must be a hard-core hacker who needs to be made an example
of.

I understand why the feature is useful -- it's a sort-of "honesty lock" that's
easy to get off, but it's obvious to the user that they're not _supposed_ to
take it off -- but LastPass should change the language around it so that non-
technical users understand that _regular people_ , non-experts, can bypass it.

------
joshuaheard
I love LastPass and like sharing access to my accounts this way, but I don't
even know why they have this option and it's turned on by default. This option
is trivial and they should just get rid of it.

~~~
300bps
_I love LastPass...but I don 't even know why they have this option_

What is your love of LastPass based on? I suspect it's based on trust. But
here's what we have: a company states that you can share a password and the
"password will remain a secret" but it's anything but a secret. Doesn't that
erode your trust in the company - just a little bit? What other security
assertions are they making that are just plain wrong?

------
theboss
Did any of you actually expect that you could share an account (a username and
password) without one party knowing a piece of the information?

Whether through burp or through Dom inspection there is not much possibility
to share an account without them reading the password.

The feature of sharing an account is, by definition, insecure.

The best solution, if you must share the account, is to use LastPass and
change the password after they use the account and let LastPass remember the
new password.

~~~
300bps
_Did any of you actually expect that you could share an account (a username
and password) without one party knowing a piece of the information?_

Most technical users would not believe this. But here's the problem. This is
what LastPass says when sharing the password:

 _password will remain a secret_

So it is rational to believe that the majority of users will believe (since
they are told this by LastPass) that the password will remain a secret.

And this misses the most important issue. What other claims are LastPass
asserting that are easily falsified?

~~~
theboss
In my examination last pass does a good job with what it does and I know it
has held up under scrutiny from various infosec professionals (you can find
some blog posts from nova hacKer's)

You can also code audit them by installing their chrome extension and finding
where it's installed

~~~
300bps
_it has held up under scrutiny from various infosec professionals (you can
find some blog posts from nova hacKer 's)_

Thanks for the additional information. I was honestly incredulous that any
security professional would recommend LastPass for important things like bank
credentials so I did some Googling specifically for the one you mentioned:

[https://www.novainfosec.com/2011/11/15/new-multifactor-
authe...](https://www.novainfosec.com/2011/11/15/new-multifactor-
authentication-for-lastpass/)

 _Although I probably wouldn’t store high value passwords using an online
service like this, LastPass provides an simple way to use different strong
passwords for every site you need to authenticate to._

This is exactly how I think about it. Online forums? Sure, LastPass is
probably great. Online banking? No. Brokerages? No. Web-based email? No.

------
dbuxton
This is why we have looked at services like
[https://www.meldium.com/](https://www.meldium.com/) but unfortunately
(because of the way it works) it doesn't work for arbitrary services, only for
ones they have done an integration with.

~~~
borisjabes
Anything we can add for you to get to full coverage?

------
TallboyOne
You also can just use 1password to save the field that was filled in by
lastpass, then log into your 1password and copy saved password.

------
hussong
How does this compare to the way that sharing is implemented in PassPack?

~~~
davidbanham
Totally different beast. The issue here is that LastPass claims they can hide
the password from the person you're sharing it with. Passpack makes no such
claim. When you share a password with someone, they see it.

