client side attacks on the lastpass browser extension
play

Client-side Attacks on the LastPass Browser Extension 4 If you want - PowerPoint PPT Presentation

Jul 12, 2023 •131 likes •272 views

Titelpage Insert picture Change the image by deleting 1 the existing image. Click on the icon that appears to insert an image. Select a picture you would like 2 to insert and then click on Insert Select the image and click on 3

  1. Titelpage Insert picture Change the image by deleting 1 the existing image. Click on the icon that appears to insert an image. Select a picture you would like 2 to insert and then click on ‘Insert’ Select the image and click on 3 ‘Drawing Tools’. Click on ‘Arrange’ and then ‘Send Backward’ . Client-side Attacks on the LastPass Browser Extension 4 If you want to scale or drag the image, go to ‘Drawing Tools' and click 'Crop'. With the white rounds you can scale the image, with the black brackets you can scale the image frame. Master Security and Network Engineering, UvA Derk Barten supervised by Cedric Van Bockhaven 1

  2. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels LastPass Level Up Level Down “Cloud based” password manager Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) 13 Million users, 33k businesses 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Browser extension in Javascript Custom implementation of AES/SHA/PBKDF2 https://droid-life.com/wp-content/uploads/2015/04/lastpass-android.jpg 2

  3. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Research Question Level Up Level Down What client-side attacks be used on the LastPass extension for the Chrome browser? Text levels 1 1. File system based attacks Body text (24 pt.) • 2 Bullet (24 pt.) 2. Memory based attacks 3 • Sub Bullet (16 pt.) 3. Javascript attacks, XSS, CSRF 4 Title (24 pt) 5 Title (16 pt) 3

  4. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels The Scenario Level Up Level Down Post exploitation phase Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Jumping point for Red Team operations 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Internet criminals 4

  5. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Lab Setup Level Up Level Down Windows 10 VM, Virtualbox Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Google Chrome 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) LastPass extension Two Lastpass accounts, victim_alice & victim_bob 5

  6. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Filesystem based Client-side attack Level Up Level Down Local database under chrome UserData Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Site accounts stored in a binary blob base64 encoded 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Master password encrypted (AES) with SHA256 of the email Vault key is 100100 iterations of PBKDF2 with email & master password Vault key used to decrypt accounts in local database 6

  7. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels LastWish Level Up Level Down Automated Python script Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Decrypts every site in the local 3 • Sub Bullet (16 pt.) database 4 Title (24 pt) 5 Title (16 pt) Works when browser is closed 7

  8. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Limitations of the File system attack Level Up Level Down Remember password needs to be enabled Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Offline mode needs to be enabled or MFA needs to be disabled 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) 8

  9. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Memory based Client-side attack Level Up Level Down Previous research suggest plaintext usernames/passwords Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Chrome devtools, WinDBG, strings, radare2 :) 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Found site name, username and vault key 18363 Matches -> 224 Matches -> 90 Matches 9

  10. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Limitations of the Memory attack Level Up Level Down Offline mode needs to be enabled Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) Browser/extension must be open 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) 10

  11. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Implications Level Up Level Down File system attack: Memory attack: Text levels 1 ❏ Passwords can be stolen when ❏ Passwords can be stolen when the Body text (24 pt.) • 2 Bullet (24 pt.) remember password extension is active 3 • Sub Bullet (16 pt.) ❏ Same approach already performed 4yrs ❏ Have not found functional previous 4 Title (24 pt) ago research 5 Title (16 pt) ❏ Likely low priority for Lastpass ❏ May be included in the threat model of LastPass 11

  12. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Conclusion Level Up Level Down Text levels What client-side attacks be used on the LastPass extension for the Chrome browser? 1 Body text (24 pt.) • 2 Bullet (24 pt.) 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Remembered password function can be abused to decrypt the locally stored database accounts. The encryption key of the accounts can reliably be found in the memory of the extension 12

  13. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Discussion Level Up Level Down Could also just get the vault key from the chrome dev tools Text levels 1 Body text (24 pt.) • 2 Bullet (24 pt.) 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) Observation: Offline access can only be DISABLED when MFA is ENABLED Advice: With MFA, offline access should always be DISABLED when remember password is ENABLED. 13

  14. Text page Working with text levels The UvA template has a number of pre-programmed text levels. Go to 'Home' and then to 'Paragraph' to easily switch between different levels Silly Bug Level Up Level Down “Easy to say” may result in very short Text levels passwords 1 Body text (24 pt.) • 2 Bullet (24 pt.) 3 • Sub Bullet (16 pt.) 4 Title (24 pt) 5 Title (16 pt) 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

812 views • 51 slides
PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting

PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting

PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting Client-side scripting (browser) Designed to interact with the user s web page Event-driven Restricted to what a web browser can

329 views • 29 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no browser is safe 2011 300% increase in cyber attacks Who they are Why they do it Who are the targets Our filter processes 3 billion

407 views • 17 slides
Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content Static Static (HTML) Dynamic Dynamic (XML, ASP, JSP) Server-side scripts Client-side scripts (JScript) Fetch content from

621 views • 24 slides
JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant

JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant

JavaScript! What is JavaScript? A (traditionally) client-side scripting language Meant (traditionally) to run entirely on the users browser Defined by the ECMAscript standard, published by the ECMA foundation JavaScript != Java,

657 views • 32 slides
Labs #4 APIs API I Lab #1 Previously, rendering of Guestbook done in Flask with Jinja

Labs #4 APIs API I Lab #1 Previously, rendering of Guestbook done in Flask with Jinja

Labs #4 APIs API I Lab #1 Previously, rendering of Guestbook done in Flask with Jinja templates returning HTML Recall, client-side rendering approaches Front-end UI code completely on browser (e.g. client-side rendering) Back-end

2.1k views • 179 slides
Pluggable transport work Flashproxy can do IPv6. Upcoming Flashproxy Tor Browser Bundle

Pluggable transport work Flashproxy can do IPv6. Upcoming Flashproxy Tor Browser Bundle

Pluggable transport work Flashproxy can do IPv6. Upcoming Flashproxy Tor Browser Bundle (TBB) Windows package Obfsproxy packages: debs and bridge-side docs (and obfsproxy in our ec2 images) Client-side Obfsproxy TBBs New

1.02k views • 47 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why?

CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why?

CS/COE 1520 pitt.edu/~ach54/cs1520 Client-side scripting: An introduction to Javascript Why? By themselves, HTML and CSS can provide a description of the structure and presentation of a document to the browser A static document

461 views • 18 slides
Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June 2010 Jason Milletary Topics What is a Man-in-the-Browser Attack? How are they used? How can I identify and mitigate when they are

207 views • 18 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami , Panagiotis Ilia, Konstantinos Solomos, Jason Polakis University of Illinois at Chicago, USA skaram5@uic.edu February 24, 2020 Browser extensions

886 views • 30 slides
Bruce Vento Regional Trail Hi Highway 96 to C 96 to Cou ounty R Roa oad J J Public lic M

Bruce Vento Regional Trail Hi Highway 96 to C 96 to Cou ounty R Roa oad J J Public lic M

Bruce Vento Regional Trail Hi Highway 96 to C 96 to Cou ounty R Roa oad J J Public lic M Meetin ing N No. 1 1 Trail Extension - Highway 96 to County Road J Presentation Contents and Agenda Open Time

165 views • 14 slides
STEM OPT Extension Overview Who Qualifies? Whats Different? Mentoring and Training

STEM OPT Extension Overview Who Qualifies? Whats Different? Mentoring and Training

STEM OPT Extension Overview Who Qualifies? Whats Different? Mentoring and Training Program Procedures Resources Who Qualifies? Students who are currently in post-completion OPT and hold a degree in an eligible STEM

545 views • 25 slides
REPUBLI C OF REPUBLI C OF SERBI A SERBI A CASE CASE PRESENTATI ON PRESENTATI ON ON ERW ON

REPUBLI C OF REPUBLI C OF SERBI A SERBI A CASE CASE PRESENTATI ON PRESENTATI ON ON ERW ON

REPUBLI C OF REPUBLI C OF SERBI A SERBI A CASE CASE PRESENTATI ON PRESENTATI ON ON ERW ON ERW I NTRODUCTI ON I NTRODUCTI ON CONVENTIONS AND PROTOCOLS RELATED TO CONVENTIONS AND PROTOCOLS RELATED TO WEAPONS: WEAPONS: Geneva Gas

387 views • 27 slides
Extension Madness Justin Geis TheSketchUpEssentials.com - YouTube.com/TheSketchUpEssentials -

Extension Madness Justin Geis TheSketchUpEssentials.com - YouTube.com/TheSketchUpEssentials -

Extension Madness Justin Geis TheSketchUpEssentials.com - YouTube.com/TheSketchUpEssentials - The SketchUp Essentials YouTube Channel Almost 500 videos now about how to use SketchUp Weekly SketchUp extension introduction and review videos

381 views • 37 slides
Manhattan Community Board 2 Thursday May 2, 2019 New York City Transit Background M14A/D

Manhattan Community Board 2 Thursday May 2, 2019 New York City Transit Background M14A/D

Manhattan Community Board 2 Thursday May 2, 2019 New York City Transit Background M14A/D is second-busiest bus route in Manhattan (27,000 daily riders) and second- slowest in NYC M14 Select Bus Service 14 th St identified as a Select

513 views • 25 slides
CR 455 Extension Project Development and Environment (PD&E) Study RSQ 17-0014 1 October

CR 455 Extension Project Development and Environment (PD&E) Study RSQ 17-0014 1 October

CR 455 Extension Project Development and Environment (PD&E) Study RSQ 17-0014 1 October 24, 2019 WELCOME Preferred Alternative Public Meeting October 24, 2019 Open House Format Presentation Runs Every 10 Minutes 2 Clermont Arts

589 views • 27 slides
PUBLIC SPEECHES A public speech can be informational or persuasive. No visual aids may be used.

PUBLIC SPEECHES A public speech can be informational or persuasive. No visual aids may be used.

201 9 Crook County 4-H Fair Book 4-H CONTESTS Presentation Contests 4-H PRESENTATIONS March 9, 2019 Crook County Open Campus Building These guidelines are to be used for Presentations in all project areas. Judging criteria are outlined on the

414 views • 3 slides
/ skin regimen / extension presentation salon services / skin regimen / retail products

/ skin regimen / extension presentation salon services / skin regimen / retail products

/ skin regimen / extension presentation salon services / skin regimen / retail products enzymatic powder / exfoliating foaming powder /size 55 gr /item code 11719 /spa price $22.50 /msrp $45.00 NEW 4.0 tea tree booster / imperfections

552 views • 8 slides

More recommend