fsebugoutzone.org:9999

       Post AQvRvmHCWVRJeaxi2i by eric_capuano@infosec.exchange
 (DIR) More posts by eric_capuano@infosec.exchange
 (DIR) Post #AQvRvkwbTbMxWQJkIa by eric_capuano@infosec.exchange
       2022-12-24T05:57:58Z
       
       0 likes, 2 repeats
       
       Ok, I was tired of rumors speculating about which #LastPass fields appear to be encrypted client-side before being sent to LastPass, so I ran some tests of my own.For a basic &quot;Password&quot; item, here is what I can tell so far.When saving the item, the following primary fields are transmitted encrypted:NameExtra (Notes field)UsernamePasswordTOTP (not in this screenshot, but did test)However, I also observed the following fields having a cleartext (hex) version in the payload as well:NameUsernameURLFolder Name (not hex)So in other words, there is more than just the URL being transmitted to LastPass in the clear, which makes sense because LastPass&#39; Admin console reveals login activity for all users which includes Name, Username, and URL of the login event; so naturally, these things must be transmitted and kept server-side outside of the vault. However, this once again does go against their &quot;zero-knowledge of anything in your vault&quot; marketing...Screenshots of this test below. I have omitted the encrypted data to prevent revealing enough for a &quot;Known Plaintext Attack&quot; to derive a key, but the relevant pieces are visible. If I am missing anything here, do let me know.#LastPassHack #LastPassBreach
       
 (DIR) Post #AQvRvmHCWVRJeaxi2i by eric_capuano@infosec.exchange
       2022-12-24T06:04:26Z
       
       0 likes, 0 repeats
       
       inb4 someone says &quot;why does it say that password: password is REUSED?!&quot;because I ran multiple tests using that same value :)
       
 (DIR) Post #AQvRvmLoFN7rst7OE4 by eric_capuano@infosec.exchange
       2022-12-24T06:16:34Z
       
       0 likes, 0 repeats
       
       Another point of clarification— I am not saying all of these values are stored in the vault in the clear, I am only analyzing what is transmitted to LastPass’ servers. It’s possible some of this data is just used on their backend and not persisted to the vault in this format. Someone else that’s done more analysis of an offline vault (@sawaba ?) can maybe bounce my findings off of theirs.
       
 (DIR) Post #AQvRvp24HE7KCWuAN6 by eric_capuano@infosec.exchange
       2022-12-24T06:07:02Z
       
       0 likes, 0 repeats
       
       Quick clarification on what I mean by &quot;transmitted encrypted&quot; or &quot;transmitted in the clear&quot;ALL of this traffic is sent over TLS (encrypted), I am referring to the data itself inside the payload, whether or not it is encrypted client side before be transmitted to LastPass servers.
       
 (DIR) Post #AQy1Rx4Xnzg37C2U40 by balan@freespeechextremist.com
       2022-12-25T13:56:20.513789Z
       
       0 likes, 0 repeats
       
       @eric_capuano I&#39;m feeling validated in my refusal to use web-based password managers. They said I was being paranoid.