Researchers released a script to decrypt and extract LastPass Master Password

On DefCamp 2014 conference in Romania security researcher Alex Balan demonstrated a new way that allows attacker to grab master password on LastPass system which integrate itself in browser, mobile app or webapp. this technology gives user to have a single password that authenticate to systems.

Researchers used Ettercap, Burp, Backdoor Factory (BDF) and Metasploit to prepare a malicious file, which was sent to target and allow  obtain sensitive information. the test was made against machine running Samsung Kies application that is designed to synchronize with your smartphone. This utility continuously sends requests to update via Internet that are sent in non encrypted form.

With Burp Alex Balan performed a Man in the Middle attack to sniff  Samsung Kies server responses, Using Backdoor Factory and Metasploit, he prepared a malicious file that was delivered to remote target in form of application update. this by taking the real binary update file and added the exploit in the empty fragments.

Running the application allowed attacker to have access on remote target this including the data that is stored in memory almost as plain text as the master password LastPass.

there are some conditions required to make the PoC such as LastPass account have the option “Store password». Metasploit exploit is published over this link: http://www.rapid7.com/db/modules/post/multi/gather/lastpass_creds

While there should be a fix in the future against this vulnerability that are expected to be released by LastPass developers.

Share