What does not hide LastPass?
I think everyone knows what Lastpass is . Many have entrusted him with the storage of all their usernames and passwords. And how not to trust, after all, the developers declare that all information is protected and encrypted on the client side. Mindful of recent history, I decided to disassemble the LastPass plugin into pieces and understand what is really protected and what is not and continue my cycle of articles about small problems in large projects.
At first I really liked everything. LastPass creates a hash of your login and password, it is the key to the AES algorithm:
KEY = SHA256 (EMAIL + PASSWORD)
For authorization, the service uses a double hash, that is, it is sent to the server and is the verification key for authorization:
')
AUTH_HASH = SHA256 (KEY + PASSWORD)
Indeed, the names of groups, accounts and data are transmitted in encrypted form, HTTPS is used everywhere. But as it turned out, there are things that are sent to the server without encryption with the user's key. For example, this is the full current URL of the site where you enter the password in LastPass for the first time.
Here is the request that the plugin sends to the server (some field values have been changed):
As we can see, the ref field contains the line:
Thus, quite by chance, the information on which sites you are registered is transmitted to the LastPass server in open form. And, sometimes, in these lines there are logins, passwords and other sensitive information (on some, not very correct resources).
Also, the plugin does not encrypt the entire block with the form data when sending, but encrypts only the fields, leaving the field names open, and, when encrypting, it does not add salt to the field values. Thus, by simple calculations on the server, it will be possible to understand on which sites you have the same logins and passwords. By the way, the action form is also transmitted to the LastPass server in open form:
This is how the information in the data field looks like, for the login on habrahabr.ru and it is in this form that everything is transmitted to the LastPass server:
So, what will the attacker know if he has access to encrypted data, but does not know your password?
PS I kept thinking why the service had this information, because it cost nothing to encrypt the URL and all the fields, but I read the Privacy Statement on the site the other day, and it all became clear to me at once:
There are no statistics on this site. For instance, LastPass site. LastPass may display this information publicly or provide it to others. In addition, you can provide your personal information. Our services free. However, LastPass does not disclose information other than as described below.
As I understand it, information on which sites you are registered on can be used to compile your advertising profile. And this LastPass also does not hide.
At first I really liked everything. LastPass creates a hash of your login and password, it is the key to the AES algorithm:
KEY = SHA256 (EMAIL + PASSWORD)
For authorization, the service uses a double hash, that is, it is sent to the server and is the verification key for authorization:
')
AUTH_HASH = SHA256 (KEY + PASSWORD)
Indeed, the names of groups, accounts and data are transmitted in encrypted form, HTTPS is used everywhere. But as it turned out, there are things that are sent to the server without encryption with the user's key. For example, this is the full current URL of the site where you enter the password in LastPass for the first time.
Here is the request that the plugin sends to the server (some field values have been changed):
POST /deliver_and_add.php HTTP/1.1
Host: lastpass.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 5045
Cookie: lang=en_US; sessonly=0; PHPSESSID=#;
X-LastPass: 1.74.0
X-wxsessid: #
Pragma: no-cache
Cache-Control: no-cache
sentms=#&data=#&ref=68747470733a2f2f7777772e676f6f676c652e636f6d2f6163636f756e74732f536572766963654c6f67696e3f736572766963653d6d61696c26706173736976653d7472756526726d3d66616c736526636f6e74696e75653d68747470732533412532462532466d61696c2e676f6f676c652e636f6d2532466d61696c253246253346756925334468746d6c2532367a792533446c266273763d23367a2673733d31267363633d31266c746d706c3d64656661756c74266c746d706c63616368653d3226686c3d656e2666726f6d3d6c6f676f7574&charset=UTF-8&iid=&data=#&name=#&localupdate=1&extjs=1&iid=&requid=#&wxsessid=#&sessonly=0&requesthash=#&requestsrc=ff&hasplugin=1.74.0
As we can see, the ref field contains the line:
https ://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=#6z&ss=1&scc=1<mpl=default<mplcache=2&hl=en&from=logout
Thus, quite by chance, the information on which sites you are registered is transmitted to the LastPass server in open form. And, sometimes, in these lines there are logins, passwords and other sensitive information (on some, not very correct resources).
Also, the plugin does not encrypt the entire block with the form data when sending, but encrypts only the fields, leaving the field names open, and, when encrypting, it does not add salt to the field values. Thus, by simple calculations on the server, it will be possible to understand on which sites you have the same logins and passwords. By the way, the action form is also transmitted to the LastPass server in open form:
sentms=#&data=#REMOVED#&ref=687474703a2f2f6861627261686162722e72752f6c6f67696e2f&charset=UTF-8
This is how the information in the data field looks like, for the login on habrahabr.ru and it is in this form that everything is transmitted to the LastPass server:
0 undefined fieldset
0 act SuQP2miDnWPHD202CxqCLQ%3D%3D hidden
0 redirect_url 5RXHPEEbEv6DlWMaKxOdQZAnmxFM8k9gLCeYz10sh5I%3D hidden
0 login DEJ#REMOVED#D%3D text
0 password vT5yo#REMOVED#tkg%3D%3D password
0 captcha text
0 %D0%92%D0%BE%D0%B9%D1%82%D0%B8 submit
0 action http%3A%2F%2Fhabrahabr.ru%2Fajax%2Fauth%2F action
0 method post method
So, what will the attacker know if he has access to encrypted data, but does not know your password?
- Your email address in LastPass
- List of all sites where you have registration
- A list of all sites where you have the same logins and / or passwords.
- Full links to forms on all sites
- Full links from the action attribute of forms on all sites
PS I kept thinking why the service had this information, because it cost nothing to encrypt the URL and all the fields, but I read the Privacy Statement on the site the other day, and it all became clear to me at once:
There are no statistics on this site. For instance, LastPass site. LastPass may display this information publicly or provide it to others. In addition, you can provide your personal information. Our services free. However, LastPass does not disclose information other than as described below.
As I understand it, information on which sites you are registered on can be used to compile your advertising profile. And this LastPass also does not hide.
Source: https://habr.com/ru/post/123567/
All Articles