2

Is there any sort of documentation to verify that the user info inputted with automatic formfill on "Secure forms" is protected from theft by a keylogger or trojan collecting clipboard data?

I ask this question because looking at their security implementation from an end-user stand point, it seems the only viable attack surface is capturing the formfill data, assuming you the account is otherwise secured with 2FA.

Spriter
  • 43
  • 5
  • 3
    Is the feature compromised? No. Is it possible that a local process can intercept the data? That's a different question. – schroeder Nov 27 '16 at 22:10

2 Answers2

6

Aren't you kind of already at a worst case scenario level with security when there is a keylogger installed?

It would be very dangerous to assume that LastPass (or any program) can protect plaintext from being read on a compromised machine.

This question/answer might help guide your security practices: LastPass - Best practices on foreign devices

Community
  • 1
trognanders
  • 2,925
  • 1
  • 11
  • 12
  • That post helps a lot actually thank you! I ask this scenario because its exactly that, a worst case scenario. I wanted to know what to assume is exploited and what isnt if an attack has been detected. Seems its safe to assume formfill is not. – Spriter Nov 27 '16 at 20:58
  • 2
    @Spriter It is safe to assume that if you log into LastPass on a known compromised machine, that your master password, and the passwords stored in the account, ***are quite possibly compromised***. In this scenario, the best practice would be to change all of your passwords asap. – trognanders Nov 28 '16 at 09:43
1

I would say even if that mitigated attacks from keyboard loggers and clipboard logger, it would still be susceptible to "Man in the browser" attacks, in which the browser process itself is highjacked.

If you check out the book "Black Hat Python" chapter 9, there is great documentation on this attack and even working code in python for doing the exact attack I mentioned. I have read this book and referenced in many times and can verify the code given works. Hope this helps.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Beetle
  • 303
  • 2
  • 9
  • Interesting, I will have to read that excerpt. Following up on what you said, a MITM attack on the browser process its self; Do you believe it matters whether its a "Secure" or "Unsecure" form? I ask this because on some (poorly) made websites, Lastpass will prompt that the login form is vulnerable and unsecured, while on others there is no warning, presumably meaning its "Secure". Yet there is little documentation as to what it means from Lastpass' point of view. – Spriter Nov 27 '16 at 20:53
  • @Spriter I am not sure but I would assume it is basing whether or not the form is secure based on HTTPS verses HTTP. Wherein just HTTP would not encrypt your data, leaving it susceptible to inspection to those that are able to view the traffic. It may also consider a self signed certificate as being insecure. Man in the browser would mitigate encryption because the browser will handle that process, letting the attacker in the high jacked browser process to observe encrypted and unencrypted traffic. Last pass would not be able to prevent or mitigate that kind of attack. – Beetle Nov 27 '16 at 22:32