undefined | Better HN

0 pointsMBCook8y ago0 comments

It means if someone hacks into their forums and gets credentials then all your passwords are open to them.

0 comments

dsp12348y ago

Why?

1.) LastPass login page hashes MasterPassword on the login page to produce a hash

2.) Hash is sent to the forums, and is checked against the same hash as the vault system

3.) Hash is confirmed, and you're logged in.

1.) Later hash is grabbed by an attacker.

2.) Attacker sends the hash to get the encrypted vault

3.) Attacker gets the encrypted vault

4.) Attacker is sad, because they don't have the MasterPassword, and thus have no access to all your passwords

Note that I'm not saying that they are awesome, and/or are doing the above. But it's not immediately obvious that a MasterPassword can't hash a forum login and a vault request at the same time. I mean, that's literally what the "MasterPassword never leaves the client" is supposed to mean.

[0] - https://lastpass.com/support.php?cmd=showfaq&id=6926

nodja8y ago

1.) Find exploit in forum software/server.

2.) Modify login.php to send form username/password to attackers server.

scarhill8y ago

Except there is no forum login page, just a SAML redirect to their SSO login.

2 more replies

dasil0038y ago

0.) LastPass login page is hacked with a skimmer.

1.) Game over.

j / k navigate · click thread line to collapse