Youtor
Lastpass backdoor
YOUR LINK HERE:
http://youtube.com/watch?v=Bf2nYkn32DM
This short demo is about a backdoored Lastpass browser extension. An attacker can bypass even two-factor authentication (i.e. Yubikey) with this backdoored Lastpass. • You can download the codes from here: • https://github.com/Z6543/Lastpass_bac... • Because lastpass browser extensions are simple user files (Javascript files), any user space malware can easily backdoor the extensions. • During the demo, when you see hack the planet , it is the attacker, and when you see unicorns and rainbows, it is the victim. • What happens in the demo? • When the user tries to log in, the backdoored lastpass browser extension sends the username, password to the attacker. Next, the one time password (yubicode) is sent to the attacker, so attacker has every secret to login. The password and one time password is filled into the attackers Lastpass window automatically with keyboard simulator script. Meanwhile victim receives login failure, because a fake static yubicode string is sent to the server instead of the one time password. When victim tries to login again, it will be successful. • What is my goal with this? • Lastpass marketing states Protect yourself against phishing scams, online fraud, and malware . Lastpass won't protect you against malware. Traditional malwares can still steal all your passwords autofilled via Lastpass (via API hooking, malicious browser extension, etc. ). • A determined attacker can even backdoor your Lastpass Firefox extension, and access all your secrets stored in Lastpass, even if multi-factor authentication like Yubikey or Google 2-factor authentication is used.
#############################
