Researchers to reveal critical LastPass issues in November 2015

Password managers are great as they store a virtually unlimited number of important information, accounts, passwords, credit card numbers and other sensitive data. They keep you from having to memorize unique strong passwords, or use other means to remember them such as writing them down.

All the data is protected by a single master password, and, if supported, by additional means of protection such as two-factor authentication.

Security of the password manager and its database is of utmost importance, considering that attackers would gain access to all the data stored by a user if they somehow managed to gain access to the account.

That single access would give the attacker access to most of the accounts of that user and even data that is not linked directly to the Internet if it has been added to the vault as well.

Update: LastPass contacted us with the following clarification:

• These reports were responsibly disclosed to our team over a year ago
• All reports were addressed immediately at that time and do not pose an ongoing risk to LastPass users
• Users do not need to wait to understand what the reports were about - all of them are covered in Martin's post from last year with the exception of the account recovery report, which was addressed at that time but was not covered in his original blog post
• It's also worth noting that we explicitly warn users not to use the Remember Password option

It appears that the demonstration is indeed about the vulnerability that was disclosed last year by the researchers.

Security researchers Alberto Garcia and Martin Vigo will demonstrate attacks on the popular online password management service LastPass at the Blackhat Europe 2015 conference in November.

Here is what they will demonstrate:

1. How to steal and decrypt the LastPass master password.
2. How to abuse password recovery to obtain the encryption key for the vault.
3. How to bypass 2-factor authentication used by LastPass to improve security of accounts.

The methods that they will use to do so are not revealed in the briefing but the researchers mention that that have reversed LastPass plugins and discovered several attack vectors in doing so. It is likely that they mean browser extensions by plugins but it is not clear from the briefing.

While it is too early to tell how effective and applicable these attack forms are, it is certainly something that LastPass users should keep a close eye on.

The attacks could for instance require a modified browser extension or other components that need to run on a computer system to be effective. This would obviously be less of an issue than something that could be exploited right away on systems running official plugins and extensions.

LastPass users will have to wait almost two months before the attacks are revealed on the conference. Cautious users may want to disable extensions in the meantime to avoid harm since it is unclear how these attacks are carried out.

Now You: Do you use LastPass or another online password manager?