Client-side Attacks on the LastPass Browser Extension 4 If you want - - PowerPoint PPT Presentation

client side attacks on the lastpass browser extension
SMART_READER_LITE
LIVE PREVIEW

Client-side Attacks on the LastPass Browser Extension 4 If you want - - PowerPoint PPT Presentation

Jul 12, 2023 131 likes •277 views

Titelpage Insert picture Change the image by deleting 1 the existing image. Click on the icon that appears to insert an image. Select a picture you would like 2 to insert and then click on Insert Select the image and click on 3

slide-1
SLIDE 1

Insert picture

Change the image by deleting the existing image. Click on the icon that appears to insert an image. Select a picture you would like to insert and then click on ‘Insert’

2 1

If you want to scale or drag the image, go to ‘Drawing Tools' and click 'Crop'. With the white rounds you can scale the image, with the black brackets you can scale the image frame.

3

Select the image and click on ‘Drawing Tools’. Click on ‘Arrange’ and then ‘Send Backward’.

4

Titelpage Derk Barten supervised by Cedric Van Bockhaven

Client-side Attacks on the LastPass Browser Extension

Master Security and Network Engineering, UvA

1

slide-2
SLIDE 2

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

“Cloud based” password manager 13 Million users, 33k businesses Browser extension in Javascript Custom implementation of AES/SHA/PBKDF2

LastPass

https://droid-life.com/wp-content/uploads/2015/04/lastpass-android.jpg

2

slide-3
SLIDE 3

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

What client-side attacks be used on the LastPass extension for the Chrome browser?

  • 1. File system based attacks
  • 2. Memory based attacks
  • 3. Javascript attacks, XSS, CSRF

Research Question

3

slide-4
SLIDE 4

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Post exploitation phase Jumping point for Red Team operations Internet criminals

The Scenario

4

slide-5
SLIDE 5

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Windows 10 VM, Virtualbox Google Chrome LastPass extension Two Lastpass accounts, victim_alice & victim_bob

Lab Setup

5

slide-6
SLIDE 6

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Local database under chrome UserData Site accounts stored in a binary blob base64 encoded Master password encrypted (AES) with SHA256 of the email Vault key is 100100 iterations of PBKDF2 with email & master password Vault key used to decrypt accounts in local database

Filesystem based Client-side attack

6

slide-7
SLIDE 7

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Automated Python script Decrypts every site in the local database Works when browser is closed

LastWish

7

slide-8
SLIDE 8

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Remember password needs to be enabled Offline mode needs to be enabled or MFA needs to be disabled

Limitations of the File system attack

8

slide-9
SLIDE 9

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Previous research suggest plaintext usernames/passwords Chrome devtools, WinDBG, strings, radare2 :) Found site name, username and vault key 18363 Matches -> 224 Matches -> 90 Matches

Memory based Client-side attack

9

slide-10
SLIDE 10

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Offline mode needs to be enabled Browser/extension must be open

Limitations of the Memory attack

10

slide-11
SLIDE 11

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

File system attack: ❏ Passwords can be stolen when remember password ❏ Same approach already performed 4yrs ago ❏ Likely low priority for Lastpass

Implications

Memory attack: ❏ Passwords can be stolen when the extension is active ❏ Have not found functional previous research ❏ May be included in the threat model of LastPass

11

slide-12
SLIDE 12

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Remembered password function can be abused to decrypt the locally stored database accounts. The encryption key of the accounts can reliably be found in the memory of the extension

Conclusion

What client-side attacks be used on the LastPass extension for the Chrome browser?

12

slide-13
SLIDE 13

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

Could also just get the vault key from the chrome dev tools Observation: Offline access can only be DISABLED when MFA is ENABLED Advice: With MFA, offline access should always be DISABLED when remember password is ENABLED.

Discussion

13

slide-14
SLIDE 14

Text page

Working with text levels

The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Level Down Level Up

Text levels Body text (24 pt.)

  • Bullet (24 pt.)
  • Sub Bullet (16 pt.)

Title (24 pt) Title (16 pt)

1 2 3 4 5

“Easy to say” may result in very short passwords

Silly Bug

14