 So I am a start with I am a big user of last pass. I still trust the product even though it's hacked Yes, it's hacked, but here's how the hack works Let's break it down a little bit because I don't like click baby headlines that just say you know The sky is falling. Everything's gone to hell on a handbasket. Don't use this. Don't use anything The reality is yes, this is our ability. Yes, they're fixing it. Yes. They actually fixed it already also it's non-trivial and What I mean by non-trivial is it's not like a hack where you just go to website and you're done. You're exploited It's over. That's that would be very very terrible and bad. Those are the worst hacks. It doesn't mean this doesn't need to be Fixed doesn't mean it's not a concern. It's just not that concern. It's not like one clicking. You're done Now in order to make this hack work and we'll go through the code real quick here There's a great explanation. I found on Reddit for how this works, but it stacks vulnerabilities now they discovered that Last pass from this url, which by the way right now is down. I can bring it over here And we can do a dig real quick. It's gone. They removed the domain Imagine and kind of they probably changed it because they also released an update of our last pass But what he had discovered was there's a manifest file in the scripting and what a manifest file Is gonna say you are allowed to do these things Well, it turns out that this can send manifest from last pass to do code Executions so what he did was here shown that calculator will work by modifying the code and a page to do it But there's another step to this You have to spoof this address and that's key in order to spoof this you have to have your DNS on your computer hijacked Or have someone out of DNS entry for last pass faking it and this is a really really hard thing to do Because it's also very hard thing to secure. They have to hijack what this domain means So this domain always takes you to last pass last pass calls out ask for files from this domain. It says yes your last pass I'm gonna trust it They then have to spoof this domain spoof the security certificate for the domain to get your computer to trust it But if they have access to your computer, they have access to both of those things So if you're on a network that's compromised You can get these two things spoofed and then only then can this function to send arbitrary code Because it's actually not coming from their servers the floor on last pass and I'll one of the reddit users broke it down Really well right here. We'll give a shout out to fish supreme over here in net sec I can leave the link to the article here last packs ascension says manifest accept coming from the script from one Men dash ui dot prad not a problem the script one men dash ui pretty passes incoming messages It gets straight from the extension without checking where they came from. This is a bad idea And is what is quoted in the script? So it's basically not validating what comes from there Which even if you spoofed it you still should validate it because that would stop the problem So any website that could open a page and send messages to it Were it not for the two above issues would be a problem But here it is one of the messages that last pass extension takes called open Attach will execute a file that receives encoded as an attachment those encoded parameters Contain a batch file that runs calc.exe which then runs and as was the example used here where they were able to get calculator run I did really like this apparently last pass who has done a great job They don't mind disclosure. They update quick. They they get these submitted try if you're not familiar with Tavis or Mindy. He's a Amazing vulnerability researcher at Google some people think he's a little harsh But he seems to care more about the users than the companies So he does follow proper disclosure rules and then he gets to rant about them. So this is a He's a great security researcher. I'm glad he's on the good guys team as he's really really smart So with this being said that when he first submitted to apparently they said they couldn't get the exploit to work And he looked at the logs and they said like this They also said it couldn't get my exploit to work But I checked my Apache access logs and they were using a Mac naturally calculate See what up here in a Mac nevertheless disabling One man seems good enough mitigation for now because that's what they did immediately and like I said I showed you there It's it's currently disabled But nonetheless, it's pretty clear that this is a major problem And then down here. He says hopefully taking on the service not just remove the DNS tree or a man of milk Check still insert correct DNS responses That's kind of what I'd said someone has to spoof your DNS in order to do that or in like he said here if you're in a corporate people are Intercepting SSL proxies by installing certificates in your computer to create trust That means it could happen if they hacked at the corporate level and your internal corporate teams using it They could build that trust in there But if they're inside and have that level of control they can do a lot of other things now This happened the last pass before someone had a spoof and a Travis I found this as well Which was you could spoof the domain again and you think you're going to let's just say Twitter comm But you're actually not you're going to a fake version of Twitter comm and last pass We'll fill in the password for fake version of Twitter comm It's once again They have to be able to spoof Twitter comm instead of it actually going to the real Twitter They have to set up a fake Twitter and have control of your DNS These are still bad scripts But I just like to get to the details of how they actually work because the headlines you read through some these articles They just don't give you some of that They just want headlines. They want clicks and two critical bugs found in chrome and firefox what password manager should not do Leak your passwords. That's a great headline because you're correct. It shouldn't leak your passwords. What a great idea last pass But they're not really it's having that a little bit of detail of what is going on here that matters because it's not like you Can click on it and it's just the end of the world. It's all gonna die You're gonna someone's gonna make a website and they're just gonna steal everything and it's gonna fall apart It's it's a bad hack. It is a Major security concern needs to be fixed, but it's still requires what we refer to as stacking attacks So there has to be a couple different factors in place to make this work And that's always what I like to say with some of these is making sure that we understand all the pieces needed It doesn't mean it's not being used matter of fact We know vulnerability stacking is how most of these exploits occur one thing leverage the next thing leverage the next And that's how this happens. So but I want to clarify how the last pass hack happened. Are you fixed? Yeah last pass auto updates We already have the new version. It just it's a browser extension So it updates really fast also by the way as the fact that it wouldn't work in a Mac The payload has to be designed for the os and targeted at the os And I've run linux all the time so less Statistically likely but the security by security is not security at all by the way But I just wanted to you know cover the last pass hack and at least show you What was there? I'll do I'll throw a link to the reddit article where it's got some explanation some more discussion on it That's really enlightening. It's still like I said a major concern But once again Tavis being very upstanding when it turned this he did the full discount He created he found the bug disclosed the last pass They patched it and then he posted about it on twitter and the public bug reports become Viable so they they still go through Proper security disclosure, which is wonderful. That's what we want is all these things to go on there So if I'm wrong about something, uh, you're never as wrong as when you're wrong on the internet So let me know but I think I covered it. I just wanted to let you know. I still would recommend the product. It's still a It's still a concern. I'm glad they fixed it glass pass has been very active Now do does this mean we should use a different password manager? Well, here's the thing I'm willing to bet last pass being the largest password manager gets picked on the most We have found smaller uh, password managers But they don't even make the list because if you don't have any user base who cares if it's attacked I hate to say it that way, but there's no bug bounty for it and there's a bug bounty for finding bugs and products So back to that The last pass I still use it. Um, I don't have a problem with the company They're gonna find bugs the internet is the most complicated machine ever built by humans It's securing it is also one of the most complicated things we've done Whether it's the internet as a whole or specifically like last pass security's hard I like the last pass because they're on top of it and working on it. So I still trust the product But this was a concern. I'm glad it's fixed and um, hopefully they'll learn the lesson and these companies are learning You know being out there and we have found bugs in every product of every manufacturer I at least last pass has a response and is uh, you know on top of getting these things patched So thank you for listening if you like to content here like and subscribe. Thanks