LastPass is a password management service that uses a browser extension to automate form filling and website authentication. This allows users to have strong, separate passwords for all online services they use, while remembering only one master password that unlocks their encrypted password vault.
For increased security, LastPass supports two-factor authentication using the master password and one-time codes generated by physical YubiKey USB authentication devices or mobile applications such as Google Authenticator, Toopher and Duo Security.
LastPass claims on its website that it protects users against phishing scams, online fraud, and malware -- in particular key loggers. However, according to Balazs, the extension can't protect users against malware like financial Trojan programs that hook into the browser process, against other malicious browser extensions, or against local modifications of its own code.
Balazs' demonstration at Hacker Halted showed how a piece of malware could modify the code of the LastPass extension installed in Firefox so that it sends the user's master password and a YubiKey authentication code to an attacker, who could then use the information to access the user's password vault.
He released his proof-of-concept code for backdooring the LastPass extension on GitHub and said that developing it only took two hours.
Most of Balazs' recent research focused on Firefox because it's easier to trick users into installing malicious extensions in this browser by using social engineering. Unlike Firefox, Chrome only allows the installation of extensions from the official Chrome Web Store repository and not from third-party websites, which makes it harder for attackers to distribute malicious extensions.
Sign up for CIO Asia eNewsletters.