timmc/gist:c0e340a3b339fda71070

## gistfile1.txt
2014-04-09 14:56 [You]

I would like more information on how the Online Vault is able to manage and expose passwords. Specifically, when I click the "reveal password" icon, is that password text actually present in the page context? If so, I have some security concerns.

My *guess* is that when I am logged into my LastPass extension, it recognizes the Online Vault as the trusted site and responds to requests for data. (I hope it does not simply transmit the master password or any derivative of it down to the page!)

My concern is that under an attack scenario where an attacker can inject javascript into the Online Vault page (via cross-frame vulnerabilities, SSL tampering, etc.) they can request decryptions and then exfiltrate that data. Note that this could all happen without user interaction, e.g. in a hidden iframe on an attack site.

If my assumptions above are true, I would like to see an option that prevents the extension from communicating descrypted sensitive information to lastpass.com.

==============

2014-04-09 15:09 [LP]

When you select show on a password in the online vault, it's manually decrypted using javascript on a page by page basis. Everything is done locally on the page, and not transmitted anywhere (both in the Online and Local Vault). SO even in the online vault, the encrypted blob data is loaded on the page, and only decrypted locally. Nothing is ever decrypted in transit in LastPass. Let me know if that makes sense

Best,
LP

==============

2014-04-09 15:36 [You]

That's what I was afraid of, actually. Is there any way I can prevent the extension from communicating with the Online Vault? If an attacker managed to inject a malicious script into the Online Vault page (either in transit or in the browser environment) my passwords would be compromised.

Also, when you say "the encrypted blob data is loaded on the page", does that imply that a decryption key is also loaded onto the page?

==============

2014-04-10 10:19 [LP]

There is no way to prevent connection with the online vault except not going to it. And technically, yes, if your browser were compromised what your asking is possible; however, if you're browser is compromised to the point that this is possible, you likely are going to have a lot of other issues beyond just this. Yes, the decryption key is loaded (again locally) onto the page) and still never sent to us.

Best,
LP

=============

2014-04-10 10:47 [You]

OK, good to know.

I'm not thrilled, mind you -- anyone who can successfully MitM my connection to LastPass could steal all my passwords. (This is not a theoretical thing -- there are a *huge* number of SSL bugs remaining to be found.) Firefox's built-in password manager would not be compromised by such an attack, for instance.

But you've answered my question.
	2014-04-09 14:56 [You]

	I would like more information on how the Online Vault is able to manage and expose passwords. Specifically, when I click the "reveal password" icon, is that password text actually present in the page context? If so, I have some security concerns.

	My guess is that when I am logged into my LastPass extension, it recognizes the Online Vault as the trusted site and responds to requests for data. (I hope it does not simply transmit the master password or any derivative of it down to the page!)

	My concern is that under an attack scenario where an attacker can inject javascript into the Online Vault page (via cross-frame vulnerabilities, SSL tampering, etc.) they can request decryptions and then exfiltrate that data. Note that this could all happen without user interaction, e.g. in a hidden iframe on an attack site.

	If my assumptions above are true, I would like to see an option that prevents the extension from communicating descrypted sensitive information to lastpass.com.

	==============

	2014-04-09 15:09 [LP]

	When you select show on a password in the online vault, it's manually decrypted using javascript on a page by page basis. Everything is done locally on the page, and not transmitted anywhere (both in the Online and Local Vault). SO even in the online vault, the encrypted blob data is loaded on the page, and only decrypted locally. Nothing is ever decrypted in transit in LastPass. Let me know if that makes sense

	Best,
	LP

	==============

	2014-04-09 15:36 [You]

	That's what I was afraid of, actually. Is there any way I can prevent the extension from communicating with the Online Vault? If an attacker managed to inject a malicious script into the Online Vault page (either in transit or in the browser environment) my passwords would be compromised.

	Also, when you say "the encrypted blob data is loaded on the page", does that imply that a decryption key is also loaded onto the page?

	==============

	2014-04-10 10:19 [LP]

	There is no way to prevent connection with the online vault except not going to it. And technically, yes, if your browser were compromised what your asking is possible; however, if you're browser is compromised to the point that this is possible, you likely are going to have a lot of other issues beyond just this. Yes, the decryption key is loaded (again locally) onto the page) and still never sent to us.

	Best,
	LP

	=============

	2014-04-10 10:47 [You]

	OK, good to know.

	I'm not thrilled, mind you -- anyone who can successfully MitM my connection to LastPass could steal all my passwords. (This is not a theoretical thing -- there are a huge number of SSL bugs remaining to be found.) Firefox's built-in password manager would not be compromised by such an attack, for instance.

	But you've answered my question.