Researchers to Reveal Critical LastPass Issues in November 2015

In the end, will it turn out that writing down your passwords on the back of an old business card in your wallet is actually more secure than an online password management service?

Password managers are great as they store a virtually unlimited number of important information, accounts, passwords, credit card numbers and other sensitive data. They keep you from having to memorize unique strong passwords, or use other means to remember them such as writing them down. All the data is protected by a single master password, and, if supported, by additional means of protection such as two-factor authentication.

Security of the password manager and its database is of utmost importance, considering that attackers would gain access to all the data stored by a user if they somehow managed to gain access to the account.

That single access would give the attacker access to most of the accounts of that user and even data that is not linked directly to the Internet if it has been added to the vault as well.

blackhat europe

Security researchers Alberto Garcia and Martin Vigo will demonstrate attacks on the popular online password management service LastPass at the Blackhat Europe 2015 conference in November.

Here is what they will demonstrate:

  1. How to steal and decrypt the LastPass master password.
  2. How to abuse password recovery to obtain the encryption key for the vault.
  3. How to bypass 2-factor authentication used by LastPass to improve security of accounts.

The methods that they will use to do so are not revealed in the briefing but the researchers mention that that have reversed LastPass plugins and discovered several attack vectors in doing so. It is likely that they mean browser extensions by plugins but it is not clear from the briefing.

While it is too early to tell how effective and applicable these attack forms are, it is certainly something that LastPass users should keep a close eye on.

The attacks could for instance require a modified browser extension or other components that need to run on a computer system to be effective. This would obviously be less of an issue than something that could be exploited right away on systems running official plugins and extensions.

LastPass users will have to wait almost two months before the attacks are revealed on the conference. Cautious users may want to disable extensions in the meantime to avoid harm since it is unclear how these attacks are carried out. (via Caschy)

Link to Original Content

Tags: , , , ,

Comments are closed.