Category Archives: Off-Topic

LastPass: Security done wrong

https://palant.de/2017/03/23/lastpass-security-done-wrong

Altogether it looks like LastPass is a lot better at PR than they are at security. Yes, that’s harsh but this is what I’ve seen so far. In particular, security vulnerabilities have been addressed punctually, only the exact scenario reported has been tested by the developers. This time LastPass has driven it to an extreme by fixing a critical bug in their Chrome extension and announcing the fix even though the exact same exploit was working against their Firefox extension as well. But also with the bugs I reported previously nobody seemed to have an interest in going through the code base looking for other instances of the same issue, let alone taking obvious measures to harden the code against similar attacks or reconsidering the overall approach.

Or what I call: Security through Self-Confidence.

Learning from mistakes: The Yahoo hack

TL;DR

Belan’s observed offensive traits were as follows:

  • He identified peripheral web servers via Google and Linkedin searches

  • Used known WordPress flaws and custom bugs to compromise PHP sites

  • Linux authentication mechanisms were altered to capture credentials

  • Nmap was used to identify exposed network services internally

  • Corporate Wikis revealed administrative workflows and VPN details

  • Ticketing, bug tracking, and version control systems provided secrets (e.g. cryptographic keys, seeds, hashes, credentials, and source code)

  • Cookies from weak non-production instances (e.g. staging) were valid in production as cryptographic materials were the same — bypassing 2FA

  • Client certificates (exposed by email, ticketing, or lifted from filesystems) were combined with known credentials to access corporate VPNs

  • Engineering credentials were used to commit backdoors to version control which were self-approved and later deployed into production