LastPass Forums

[Gerry]

Quote from the lastpass.com homepage (although similar quotes can be found all throughout your site)

Only your LastPass password can unlock your data and only YOU have it.

Not according to LiveHttpHeaders. According to it, logging in through your site sends you our password.

POST /login.php HTTP/1.1
Host: lastpass.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 LastPass/1.27 FirePHP/0.1.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://lastpass.com/
Content-Length: 165
Cookie: *censored by gerry, just in case*
Pragma: no-cache
Cache-Control: no-cache
method=web&hash=ac35e68540d9883153f8fb7154e0d30a0b866d27e71030d84fb1739bf65f6168&xml=1&username=gerrysemailusername&email=gerrysemailusername&password=gerryspassword

Now I might be missing something. I would have checked using Wireshark just to make sure that it's not a fault in liveHttpHeaders (although I don't believe it is), except the traffic is of course encrypted, so I can't read it once it's left Firefox. However if I'm not missing anything, then everybody's password has been sent to your site every time they logged in via the site, which kinda negates any implied security of the passwords which are encrypted on your servers.

I hope I'm just missing something.

[JoeSiegrist]

Thanks for the report -- unfortunately you weren't missing something, this was a bug on our part, on logins from the LastPass.com website only. We caused this due to an oversight: we had 2 versions of the homepage we created, in the one we didn't end up using we fixed this, and failed to work the fix into the version we ended up using.

It's been resolved, (and you can retest).

It was done over HTTPS, an encrypted channel, and I can assure you that it was accidental and the password wasn't logged or used (the hash parameter is what's used); and that the plugins do not have this issue.

It shouldn't have happened, and you have my apology; depending on your level of paranoia, you may want to change your lastpass password and account passwords (again, I don't think it's necessary because we didn't gather it; but I do want you to feel comfortable that we don't have your password).

Thanks again,

Joe Siegrist
LastPass

[Gerry]

Your privacy is critically important to us. LastPass has a few guiding principles:

* We don't allow you to send us critically important information like your password; instead your LastPass master password is used locally to encrypt the important data that's sent to us.

IMPROVE SECURITY
Passwords are locally encrypted and stored on your PC or Mac. Only your LastPass password can unlock your data and only YOU have it.

What if someone steals your servers?
Your data is encrypted with your key that LastPass doesn't have, so it can't be taken. The only piece of information that we have (and it's server side encrypted), is your password hint and email address.

What encryption is being used?
AES utilizing 256-bit keys. AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins. This is important because your data is always encrypted and decrypted locally on your computer. Your password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what's sent to verify if you can download your encrypted data.

If someone steals my LastPass master password, then can't they steal my identity?
This is the same risk you have with your email account: it's simple to use the forgot password link on websites. It's also much more difficult for a hacker to obtain your LastPass master password because unlike email, with LastPass your LastPass password never leaves the PC you're using.

Do you use a salted hash for login purposes?
Yes, we first do a 'salt' of your LastPass password with your username on the client side (on your computer, LastPass never gets your password), then server side we pull a second 256 bit random hex-hash salt from the database, use that to make a salted hash which is compared to what's stored in the database. This is beyond overkill but we want to store nothing that can even theoretically be used to do a dictionary attack against password hashes if we were somehow compromised. We hope having nothing of value makes us less of a target, and that by taking every conceivable caution we can think of makes you more safe.

I know all too well that everybody makes mistakes and I knew this before I discovered the flaw in your login on the site (this is why I'm so adamant about you addressing the "trust issue" in your app, as I have posted about before). I do not blame you guys in any way for this as it was clearly a mistake... however the one thing you need most from your users if you are to be successful is trust.

You gain trust in times like these when you have a choice to let important issues go by unnoticed or admit the mistake and scream it from the rooftops so that every single one of your users knows about it. Maybe some users will see this as a bad thing, however I have a feeling that the vast majority of your users (the ones who's associates turn to in regard to security issues/products/services) are pretty clued in and would realise that mistakes happen and it's VERY important to have a security company that tells you when they fuck up (and addresses issues properly) so that you can do whatever you need to in order to address things on your side.

*crosses fingers and hopes you get what he's saying*

[Gerry]

Was this email sent out to all LastPass users?

LastPass Security Notice

We were notified last night of a security issue that we wanted to make you
aware of. This issue was solely with logins to the LastPass.com website
when the login form on the upper right was used. If you did this before
September 1st 9am Eastern, your LastPass Master Password was accidently
sent to LastPass via an encrypted https connection.

There was no impact if you used the IE or Firefox plugin to login to the
LastPass.com website (if you're logged in, you don't see the form).

If you were impacted, your password was sent over an encrypted connection
to LastPass, and we didn't store or use the password in any way, so we are
confident that the impact here is minimal, and you don't have to do
anything. For the most cautious users, if you feel it necessary to change
your LastPass master password (and your account passwords), we encourage
you to do so.

We at LastPass want to reassure you that we are serious about your security
and privacy, and want to apologize for this error.

If you have any questions on this, don't hesitate to send email to
support@lastpass.com

LastPass Support

Sorry but I live with a lawyer and as such I've learnt to never
assume anything and to always ask specific questions. It's not
my intent to offend anybody by this question.

[JoeSiegrist]

Was this email sent out to all LastPass users?
...
Sorry but I live with a lawyer and as such I've learnt to never
assume anything and to always ask specific questions. It's not
my intent to offend anybody by this question.

Yes it was sent to each and every LastPass user, though a few grey listing mail clients haven't received it yet. I should have credited you in the email -- sorry about that.

To respond to your previous message, yes, we think this is the best way to handle security incidents; and based on your post, we've also added it to the announcements section.

Thanks,

Joe

[Gerry]

>Yes it was sent to each and every LastPass user, though a few grey listing mail clients haven't received it yet.



>I should have credited you in the email -- sorry about that.

F that, my head's already big enough! I'm just very glad you did it. I've been wanting a service like Last Pass for years now Joe. Your implementation is sooo close and I really want you all to succeed... there's just that one last step which is needed. That last step being (as I said in my mozilla addons review [6 days ago, before knowing about this issue] and other posts I've made here), fixing the trust issue by making it impossible for you to send stuff to yourself unencrypted unless it should be, which as this issue proved, can happen accidentally. Or certification, which as you pointed out, probably isn't feasible. If that can be fixed then I would recommend you to everybody and I'm sure they would all do the same after they started using it.

>To respond to your previous message, yes, we think this is the best way to handle security incidents.