Last year, both the researchers had managed to crack LastPass' master password for installations where the "remember password" option was activated. The two have now presented a new series of attacks at Black Hat Europe security conference in Amsterdam.
The two researchers studied three different scenarios. The first one is the client-side attacks. It was possible because of a LastPass design flaw in its session cookie. The cookie stored a password decryption key to encrypt the password vault key. Through various decryption steps, the access was granted to all user passwords.
In cases where 2FA (two-factor authentication) was enabled, the password was not kept safer. This is because LastPass earlier used a method relying on locally stored tokens, in which 2FA could be easily bypassed. Moreover the same token was used for all browsers, and it was injected inside a page’s DOM structure, allowing attackers to steal it via XSS attacks.
The second one is the server-side attacks, where the researchers looked at LastPass' mechanism of injecting usernames and passwords into Web pages. Here, the LastPass used custom JavaScript and the attackers affixed malicious code to the custom_js LastPass parameter. This led to the stealing of data from login pages.
There are also attackers that are not on the client nor on LastPass servers side.
The two researchers, however, said that the company was notified of the issues and it was quick to release fixes.