SIK-2016-024


Title:

Read Private Date (Stored Masterpassword) from LastPass Password Manager

Report ID

SIK-2016-024

Summary:

  • Vendor: LastPass
  • Product: LastPass Password Manager
  • Affected Version: 4.0.52, platformBuildVersionName=”6.0-2704002″
  • Severity: medium
  • Short summary: This vulnerability is only working on older Android versions (< 4.1). With the internal LastPass web browser it is possible to read files from the local app folder. This can be abused to steal the stored master password (see SIK-2016-022). The following description illustrates reading SharedPreferences files containing the encrypted master password.

Details:

An attacker which has access to the mobile device (evil maid attack) can start the LastPass app and call the internal LastPass browser (no login required, just swipe left menu->browser). When he enters the URL: file:////data/data/com.lastpass.lpandroid/shared_prefs/LPandroid.xml the browser shows the shared preference file storing the master password and/or the PIN (see screenshots).

<string name="uid">104984802<lstring>
<string name="showlaunchalert">1</string>
<string name="dofastdecryption">1</string>
<string name="loginpw">!CRpsShT82h9bfkoPprrtHA==lEbI41MyZXyI3XT1Yne4EoA==</string>  <======= encrypted master password
<string name="allowofflinelocal">1</string>
<string name="lastchallengenag_teamsiksm1@gmx.de">1470993329752<lstring>
<string name="enablefloatingbubbleforbrowsers">0</string>
<string name="clearhistoryonlogout">0</string>
<string name="loginoffline">0</string>
<string name="usemobileuseragent">1</string>
<string name="browserhomepage">http://www.google.com</string>
<string name="lastrunversiondate">1471396522783<lstring>
<string name="hidefillhelperseconds">0</string>
<string name="donotreprompt_after_login">1</string>
<string name="rememberpassword">1</string>

The URL attack was tested successfully on a HTC Sensation z710e wit Android 4.0.3. It also must be mentioned, that on the newest Android version M and N (Marshmallow 6.0/ Nougat 7.0) the file:// prefix URL file access is forbidden. The attack was also tried on an Standard Android 4.4 on a Nexus 4 device, and it did not work. It seems the attack is not working on every device, but because of the diversity of different Android versions and manufacturer modification it would not be possible to test every type of device, Android version and manufacturer Android version. It is recommended to implement an URL filter preventing local file access.

Workaround

As described in section details this attack works only on older Android verions for the LastPass app. So this seems to be a problem of the operating system and must be fixed on OS side. There will be no updates for such old Android version so the best mitigation would be to buy a new device 🙂

Suggested Mitigation

The file access through browser URL can be mitigated by implementing a filter function blocking file:/// prefix access to the local folder. But this workaround is only working for non root access to the local app folder. A full fix suggestion can be found in section 4.

Timeline

  • 2016-08-22 Vulnerability Discovered
  • 2016-08-24 Vulnerability Reported
  • 2016-09-06 Vulnerability Fixed