client side attacks on the lastpass browser extension
play

Client-side Attacks on the LastPass Browser Extension 4 If you want - PowerPoint PPT Presentation

Titelpage Insert picture Change the image by deleting 1 the existing image. Click on the icon that appears to insert an image. Select a picture you would like 2 to insert and then click on Insert Select the image and click on 3


  1. Titelpage Insert picture Change the image by deleting 1 the existing image. Click on the icon that appears to insert an image. Select a picture you would like 2 to insert and then click on ‘Insert’ Select the image and click on 3 ‘Drawing Tools’. Click on ‘Arrange’ and then ‘Send Backward’ . Client-side Attacks on the LastPass Browser Extension 4 If you want to scale or drag the image, go to ‘Drawing Tools' and click 'Crop'. With the white rounds you can scale the image, with the black brackets you can scale the image frame. Master Security and Network Engineering, UvA Derk Barten supervised by Cedric Van Bockhaven 1

  2. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels LastPass Level Up Level Down “Cloud based” password manager Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) 13 Million users, 33k businesses 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Browser extension in Javascript Custom implementation of AES/SHA/PBKDF2 https://droid-life.com/wp-content/uploads/2015/04/lastpass-android.jpg 2

  3. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Research Question Level Up Level Down What client-side attacks be used on the LastPass extension for the Chrome browser? Text levels 1 1. File system based attacks Body text (24 pt.) • 2 Bullet (24 pt.) 2. Memory based attacks 3 • Sub Bullet (16 pt.) 3. Javascript attacks, XSS, CSRF 4 Title (24 pt) 5 Title (16 pt) 3

  4. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels The Scenario Level Up Level Down Post exploitation phase Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Jumping point for Red Team operations 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Internet criminals 4

  5. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Lab Setup Level Up Level Down Windows 10 VM, Virtualbox Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Google Chrome 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) LastPass extension Two Lastpass accounts, victim_alice & victim_bob 5

  6. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Filesystem based Client-side attack Level Up Level Down Local database under chrome UserData Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Site accounts stored in a binary blob base64 encoded 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Master password encrypted (AES) with SHA256 of the email Vault key is 100100 iterations of PBKDF2 with email & master password Vault key used to decrypt accounts in local database 6

  7. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels LastWish Level Up Level Down Automated Python script Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Decrypts every site in the local 3 • Sub Bullet (16 pt.) database 4 Title (24 pt) 5 Title (16 pt) Works when browser is closed 7

  8. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Limitations of the File system attack Level Up Level Down Remember password needs to be enabled Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Offline mode needs to be enabled or MFA needs to be disabled 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) 8

  9. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Memory based Client-side attack Level Up Level Down Previous research suggest plaintext usernames/passwords Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Chrome devtools, WinDBG, strings, radare2 :) 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Found site name, username and vault key 18363 Matches -> 224 Matches -> 90 Matches 9

  10. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Limitations of the Memory attack Level Up Level Down Offline mode needs to be enabled Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Browser/extension must be open 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) 10

  11. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Implications Level Up Level Down File system attack: Memory attack: Text levels 1 ❏ Passwords can be stolen when ❏ Passwords can be stolen when the Body text (24 pt.) • 2 Bullet (24 pt.) remember password extension is active 3 • Sub Bullet (16 pt.) ❏ Same approach already performed 4yrs ❏ Have not found functional previous 4 Title (24 pt) ago research 5 Title (16 pt) ❏ Likely low priority for Lastpass ❏ May be included in the threat model of LastPass 11

  12. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Conclusion Level Up Level Down Text levels What client-side attacks be used on the LastPass extension for the Chrome browser? 1 Body text (24 pt.) • 2 Bullet (24 pt.) 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Remembered password function can be abused to decrypt the locally stored database accounts. The encryption key of the accounts can reliably be found in the memory of the extension 12

  13. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Discussion Level Up Level Down Could also just get the vault key from the chrome dev tools Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Observation: Offline access can only be DISABLED when MFA is ENABLED Advice: With MFA, offline access should always be DISABLED when remember password is ENABLED. 13

  14. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Silly Bug Level Up Level Down “Easy to say” may result in very short Text levels passwords 1 Body text (24 pt.) • 2 Bullet (24 pt.) 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) 14

Recommend


More recommend