Being a fan of LastPass (and a local NoVA company as well) we were intrigued when we came across a tweet from @mubix regarding a post from Dhiru Kholia to the OpenWall mailing list. In the message Dhiru discusses some interesting fields he found when looking at LastPass transmissions through Burp proxy and the potential for performing an offline brute force attack. He closes by asking the question that what would prevent LastPass from performing a similar attack to gain access to our database of credentials.
via OpenWall Mailing List
So far, I haven’t been able to mount an offline attack against
LastPass locally stored database. However, it is possible to sniff the
LastPass authentication packets and mount an offline attack to recover the original password.
Here is an screenshot of Burp Suite in action,
? ../run/john -fo:lastpass -t # AMD X3 720 CPU (single core)
Benchmarking: LastPass sniffed sessions PBKDF2-HMAC-SHA-256 AES [32/64]… DONE
Raw: 2520 c/s real, 2520 c/s virtual
What prevents LastPass from using the same technique? Maybe they have another faster way to access user data ;).
I urge LastPass to open up their database format, so that a proper
third-party security analysis can be carried out.
Source: “Fun with LastPass” – OpenWall.com
I think this is a valid question and it would be great if LastPass would respond to this potential attack and reveal their database format. As you know security through obscurity is generally a bad thing.
Do you think this attack looks like something LastPass users need to worry about? Let us know in the comments below. See ya!