Hi,

I'm a user of LastPass.com, and there's an issue which I find to be a blatant security problem, but I'm basically getting flamed when I try to discuss it over there. So in this first post in this forum, I'd like to ask the opinion of some outsiders.

LastPass is a password manager where all decryption is local, but is synced to a server with AES encryption. It runs as a browser-plugin. That part is fine.

The issue I'm having is that even though they allow Multi-Factor Authentication, such as YubiKey, you can disable YubiKey simply by clicking in an email that is sent to your main email address. Unfortunately, they refuse to allow this email to be sent to another address, and since you need to have LastPass associated with an email account that you actively use for billing reasons, it means that if you're compromised, I believe that the hacker already has everything he needs to bypass Multi-Factor Authentication, and take over your LastPass account.

When you log into LastPass, you use an email address, which is already printed on the screen, and a password, which you type. It then prompts you for Multi-Factor Authentication (YubiKey), which is checked with the Yubikey servers.

What I'm saying is that if you use a webmail account such as GMail, and you for whatever reason have malware running on your computer, chances are high that you've both had your email account compromised, as well as your LastPass login compromised, since a screencapturing keylogger can easily capture your LassPass credentials, and a man-in-the-browser or some other mechanism can easily take over your email account.

What I'm trying to make them do is either (1) do as eBay, and never print the full email address on the screen, or (2) send the reset-email to another email account than your main one, or via SMS, or via some other channel. Because again, the assumption is that if you have malware on your system, your email will also have been compromised, and then the attacker has everything he needs to disable Multi-Factor Authentication, and then log into your account using the credentials he already has captured.

This is catastrophic, since a LastPass account is likely to hold bank logins, credit cards, server logins, social security numbers, basically your entire life. Given that this attack is untargeted, i.e. the hacker doesn't even have to be looking for LastPass in particular, it could be very devastating.

The arguments coming back from LastPass include:

1.) We're small, we won't be attacked.
2.) Hackers give up after 2 minutes, they won't persevere.
3.) It's just an unrealistic attack, it won't happen.
4.) It's impossible to get anything installed in the browser that will capture your webmail login if the login is done by the password manager, i.e. it's impossible to capture the form submission.
5.) Your firewall will detect the upload of the capture feed.
6.) Your antivirus will catch the install of the malware.

I find that each of these arguments represent enormous denial about reality.

1.) In reality, you'll be attacked no matter what your size.
2.) Hackers don't give up. Many of them are highly paid by organized crime to do this exact work.
3.) It's fully realistic, and is already being done. CitiBank recently suffered great losses from this exact attack.
4.) It seems that if you control the computer, you can install anything anywhere without the user knowing.
5.) The firewall will not capture regular port 80 POSTs. You can easily evacuate data from the computer without triggering a firewall.
6.) Many threats are undetectable when they're new.

Could anyone please tell me where I'm going wrong? I find this attack not just possible, but probable.

Best,

Per