What does LastPass not hide?

    I think everyone knows what Lastpass is . Many entrusted him with the storage of all their logins and passwords. And how not to trust, because, the developers declare that all information is protected and encrypted on the client side. Bearing in mind the recent history, I decided to take the LastPass plugin into pieces and understand what is really protected and what is not, and continue my series of articles about small problems in large projects.

    At first I really liked everything. LastPass creates a hash of your login and password, it is the key to the AES algorithm:

    KEY = SHA256 (EMAIL + PASSWORD)

    For authorization, the service uses a double hash, it is it sent to the server and is the verification key during authorization:

    AUTH_HASH = SHA256 (KEY + PASSWORD)

    Indeed, the names of groups, accounts and data are transmitted in encrypted form, and HTTPS is used everywhere. But, as it turned out, there are things that are sent to the server without encryption by the user key. For example, this is the full current URL of the site where you enter your password in LastPass for the first time.

    Here is the request that the plugin sends to the server (some field values ​​are changed): As we can see, the ref field contains a line: Thus, quite by accident, information about which sites you are registered on is transmitted to the LastPass server in clear form. And sometimes, in these lines there are logins, passwords and other sensitive information (on some, not very correct resources).

    POST /deliver_and_add.php HTTP/1.1
    Host: lastpass.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 5045
    Cookie: lang=en_US; sessonly=0; PHPSESSID=#;
    X-LastPass: 1.74.0
    X-wxsessid: #
    Pragma: no-cache
    Cache-Control: no-cache

    sentms=#&data=#&ref=68747470733a2f2f7777772e676f6f676c652e636f6d2f6163636f756e74732f536572766963654c6f67696e3f736572766963653d6d61696c26706173736976653d7472756526726d3d66616c736526636f6e74696e75653d68747470732533412532462532466d61696c2e676f6f676c652e636f6d2532466d61696c253246253346756925334468746d6c2532367a792533446c266273763d23367a2673733d31267363633d31266c746d706c3d64656661756c74266c746d706c63616368653d3226686c3d656e2666726f6d3d6c6f676f7574&charset=UTF-8&iid=&data=#&name=#&localupdate=1&extjs=1&iid=&requid=#&wxsessid=#&sessonly=0&requesthash=#&requestsrc=ff&hasplugin=1.74.0



    https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=#6z&ss=1&scc=1


    Also, the plugin does not encrypt the entire block with the form data when sending, but encrypts only the fields, leaving the field names open, and, when encrypted, it does not add salt to the field values. Thus, through simple calculations on the server, it will be possible to understand on which sites you have the same logins and passwords. By the way, the action of the form is also transmitted to the LastPass server in clear form: Here is the information in the data field, for the login on habrahabr.ru and in this form everything is transferred to the LastPass server: So, what will the attacker know if he gained access encrypted data but don’t know your password?

    sentms=#&data=#REMOVED#&ref=687474703a2f2f6861627261686162722e72752f6c6f67696e2f&charset=UTF-8



    0 undefined fieldset
    0 act SuQP2miDnWPHD202CxqCLQ%3D%3D hidden
    0 redirect_url 5RXHPEEbEv6DlWMaKxOdQZAnmxFM8k9gLCeYz10sh5I%3D hidden
    0 login DEJ#REMOVED#D%3D text
    0 password vT5yo#REMOVED#tkg%3D%3D password
    0 captcha text
    0 %D0%92%D0%BE%D0%B9%D1%82%D0%B8 submit
    0 action http%3A%2F%2Fhabrahabr.ru%2Fajax%2Fauth%2F action
    0 method post method

    1. Your LastPass Mailing Address
    2. List of all sites on which you have a registration
    3. List of all sites on which you have the same usernames and / or passwords.
    4. Full links to forms on all sites
    5. Full links from the action attribute of forms on all sites
    Therefore, be careful when adding another password to Lastpass. Be sure to look at the address bar if you really want to transfer this information to a foreign server in the clear.

    PS I was wondering why the service needed this information, because it cost nothing to encrypt the URL and all the fields entirely, but the other day I read the Privacy Statement on the site, and it all became clear to me right away:

    LastPass may collect aggregated statistics about the behavior of visitors to its websites. For instance, LastPass may monitor the most popular website account on the LastPass.com site. LastPass may display this information publicly or provide it to others. In addition, LastPass may use your behavioral data and other data you provide to LastPass to customize advertisements on its site to its users. In this way we try to keep the majority of our services free. However, LastPass does not disclose personally-identifying information other than as described below.

    As I understand it, information about which sites you are registered on can be used to compile your advertising profile. And this LastPass also does not hide.

    Also popular now: