So I am fine with this weakness. It doesn't impact their core product. This feature is still vaguely useful for less technically literate people, but maybe needs some kind of disclaimer.
I would like to see at least that part fixed, anything else is fine by me at least (if you want their browser to login, the password has to go through the network at some point, so there's really no news here).
Well, they do if they find instructions to follow to do so to retrieve a LastPass shared password.
I would expect that, no matter how they try to obscure it, it will be retrievable even by non-geeks who find and follow specific instructions to retrieve it.
So I'm not sure how much development effort it's worth to try and obscure it further -- if that's even possible.
LastPass probably ought to be VERY very clear that it's merely slightly obscured, not truly protected, from someone you share it with. Mainly because if someone is confused about this, when they find out it's less protected then they thought, they may begin to doubt LastPass's security in general.
If I were LastPass, I'd reduce the level of obscuring going on, to try to make it even more obvious that a shared password is not protected from the sharee.
Using wireshark or modifying /etc/hosts with a custom html file is surely more complicated.
I think it's pretty clear that the feature is just obscurity and works only in simple cases. It was pretty clear for me at least from the moment I saw it, and it's clearly written and explained.
Does it make it useless? I don't think so. I'd rather LastPass keep it the way it is (maybe closing down the most simple way to retrieve it, like the inspector) rather than removing it altogether just because it can't be a real security feature.
Perhaps there could be issues because of the origin domain of the cookie though.
Have you thought about the idea of selling the product as a machine that clients can run in house? Something that is only accessible to them, similar to how GitHub enterprise works.
Unfortunately, passwords are retrievable out of the LastPass vault in exactly the same way as in the article. It is trivial to simply inspect the DOM and pull them out with some basic JS. This is unacceptable IMO and must be fixed; LastPass is barely functional if you don't keep it logged in. But if you do, all it takes is a right click and a few keystrokes to reveal each password.
I feel a lot worse about this product, now.
I do the exact same thing STRML with my lastpass vault. Lastpass has a bunch of fine grained access controls for when the password needs to be entered. Having your password saved on lastpass just lets you view your list of password, as long as you have it set to require the master password before accessing an individual password.
Here is how the process goes for logging into a website with these settings:
1) Go to website
2) Click autologin
3) Type your master password
4) Lastpass fills in your password on the website and logs you in
This clearly involves your master password before doing anything that would seem to reveal your individual website password. The problem here is that this would appear to be completely false as the article points out.
Another way to get the password in lastpass:
1) Open the lastpass vault
2) Search for the target website
3) Click edit
4) Click the eye icon to show your password
5) Type in your master password
6) See the password
Once again, exactly as you'd expect, and seems to require the master password before revealing anything. The problem is that you can replace steps #5 and #6 with (in chrome):
5) ctrl-shift-j (brings up dev console)
6) $('input[type=password]').setAttribute('type', 'text')
And now your password is sitting there in plaintext without ever requiring your master password, despite telling lastpass to require your master password for any password access.
I agree with the rest of the commenters that sharing a password with someone and expecting it to remain secret is a bit foolish, but the problem I described here is a HUGE vulnerability. I'm going to seriously reconsider using lastpass ever again.
I use 1Password (not associated with them at all, just a reasonably happy customer). The 1Password app is a native application which as far as I know has no vulnerabilities like this.
All hell break loose if you hand a logged-in computer to a friend, the security model of all operating systems don't account for that.
If you follow this basic security principle, you can keep your LastPass vault logged-in, with a decent timeout (eg: 1 day).
Using a laptop with full-disk encryption, I think 1-day logoff is more than enough for common scenarios (we're not speaking of NSA-going-after-you, as usual).
If you're using a laptop without full-disk encryption, I'd agree that the best way is to configure LastPass to automatically logoff when the computer enters standby/hibernate (for enterprises, this kind of configuration can be enforced for all business accounts as a policy). That's still a much better compromise than having it always logged off and having to relogin for any password you use.
Either way, sharing the password assumes that you are giving them the ability to login to your account. If the person you share with wants to give the password to someone else, it doesn't matter if they can see it or not. They can just share the password to their LastPass account. In other words the fact that they can see the password doesn't change anything from a security standpoint.
I suppose the one exception is a situation where you wanted to use the same password for your email and your bank and only wanted them to share access to your email but not let them see the password so they couldn't log in to your bank. This has a lot of security problems even if you aren't using LastPass or sharing your passwords. LastPass does warn you not to use the same password on multiple accounts unless you explicitly turn the warning off.
I know one person that used to use LastPass. He was a coworker that would utilize it on a shared terminal server and he would select the option to remain logged in. I logged in as me on the terminal server, copied his Chrome cookies file to another account and was immediately able to log in as him to LastPass and access every single one of his passwords. He deleted his LastPass account that day.
There are plenty of ways to address this and other inherent security issues with it but I don't see evidence that the majority of non-technical LastPass users are utilizing any of them.
Here's a discussion that I found about the issue I discussed on LastPass' forum:
Sometimes you simply can't protect end-users from themselves.
Think about how easy it will be for a company to prosecute the "hacker" who was able to circumvent the security of highly-reputed LastPass to do whatever minor thing they did. LastPass uses strong cryptography and blah di blah blah, after all, so this must be a hard-core hacker who needs to be made an example of.
I understand why the feature is useful -- it's a sort-of "honesty lock" that's easy to get off, but it's obvious to the user that they're not supposed to take it off -- but LastPass should change the language around it so that non-technical users understand that regular people, non-experts, can bypass it.
What is your love of LastPass based on? I suspect it's based on trust. But here's what we have: a company states that you can share a password and the "password will remain a secret" but it's anything but a secret. Doesn't that erode your trust in the company - just a little bit? What other security assertions are they making that are just plain wrong?
Whether through burp or through Dom inspection there is not much possibility to share an account without them reading the password.
The feature of sharing an account is, by definition, insecure.
The best solution, if you must share the account, is to use LastPass and change the password after they use the account and let LastPass remember the new password.
Most technical users would not believe this. But here's the problem. This is what LastPass says when sharing the password:
password will remain a secret
So it is rational to believe that the majority of users will believe (since they are told this by LastPass) that the password will remain a secret.
And this misses the most important issue. What other claims are LastPass asserting that are easily falsified?
You can also code audit them by installing their chrome extension and finding where it's installed
Thanks for the additional information. I was honestly incredulous that any security professional would recommend LastPass for important things like bank credentials so I did some Googling specifically for the one you mentioned:
Although I probably wouldn’t store high value passwords using an online service like this, LastPass provides an simple way to use different strong passwords for every site you need to authenticate to.
This is exactly how I think about it. Online forums? Sure, LastPass is probably great. Online banking? No. Brokerages? No. Web-based email? No.