You are looking at intermediate data of what's stored in your decrypted blob. Yes, some things are encrypted twice in the Lastpass vault.
The contents considered "unencrypted" by the blog post are actually only accessible after your private key has been provided.
"How can Lastpass show me the Google logo?" It's shown by your Lastpass Extension, after your vault has been decrypted with your password. It's the same reason that Lastpass can show you the password saved for Google!
Notice that request has an unencrypted folder name, "Email." Those folder names are only accessible after the decryption of the entire vault.
URLs are encrypted. LastPass does not know your URLs.
I noticed the article does not include the destination URL for this request, only the parameters. So I can't make a determination as to why this request was made and who the destination server is.
I just tried adding a new site to the "Email" folder, and no requests to remote servers showed up in my Network tab.
IF the LastPass extension really does make a call to lastpass.com with this information, then, yes, there is a possibility that Lastpass can track these hashes in some separate store. But that doesn't mean that the encrypted vault blob has the unencrypted data as claimed.
LastPass does actually know URLs. After logging into LastPass.com, you can navigate to https://lastpass.com/getaccts.php (only accessible post authentication with a valid session cookie.)
This will return an XML document with your vault data. Most of it is encrypted, however an URL parameter is encoded as hex, in plaintext. I am able to look at all URL. They could be storing the blog fully encrypted in a server datastore, but at some point, the LastPass servers are handing the client non-encrypted URLs.
Agreed that the vault blob almost certainly hides all of this, but the question still remains about how the logo is initially obtained. There still might be a leak to lastpass when the logo url is first requested.
And if the extension is pulling the logo from the web then there is also a leak to each site whenever it pulls (rather than to lastpass itself).
Best case scenario: the extension comes with a list of the most common logos baked into it. But if that's the case, why would it save a logo url. Hmm ...
I'm pretty sure we'll be hearing back from Lastpass on this one.
That's not really a leak unless you're keeping a password to some site without actually using the site and don't want the site to know you've done this. But that probably doesn't come up often in practice.
Well, sure, but any out-of-band communication is potentially a leak. If the extension pulls every logo whenever you run it (notwithstanding whatever caching is used, if any), then every site that has a logo could track when you open the extension at all. There are other potential issues here too ... like if a maliciously formed logo image could be used to crash the extension, etc..
Those aren't great examples, but any out-of-band information leak is a bad thing to have. Even if there are no known exploits now there might be future exploits that haven't been anticipated. A common issue when it comes to security.
How can the site tell you're using the extension? And so what if it does? The site can guess you're using a password manager by noticing the instant password entry. The malicious logo, that's really a problem for your browser to deal with. Using an extension to help you talk to a site you already talk to is not really a leak, given the purpose of such extensions.
A lone request for the logo image with no other simultaneous requests in the log could probably be gleaned as a lastpass extension lookup.
And again in this scenario (which we don't know if it's accurate, yet) it's pulling the image for every site with a logo whenever you browse the vault. So your IP address could be leaked to a site that you don't want to know your whereabouts at that moment.
Forensic information is forensic information. A security-conscious tool should not be increasing one's forensic footprint.
It looks like this happens when you use the web version of Lastpass available on their website, not through the extension.
I've been able to confirm when you update a site through the web interface it makes a POST request to https://lastpass.com/show_website.php with the `url` parameter which contains the hex-encoded URL of the website. I think the author is correct about this.
> I just tried adding a new site to the "Email" folder, and no requests to remote servers showed up in my Network tab.
Well, I don't even have lastpass so I can't check, but it obviously has to be sending something when you save the new site or it isn't saving it in the cloud at all.
You are looking at intermediate data of what's stored in your decrypted blob. Yes, some things are encrypted twice in the Lastpass vault.
The contents considered "unencrypted" by the blog post are actually only accessible after your private key has been provided.
"How can Lastpass show me the Google logo?" It's shown by your Lastpass Extension, after your vault has been decrypted with your password. It's the same reason that Lastpass can show you the password saved for Google!
Notice that request has an unencrypted folder name, "Email." Those folder names are only accessible after the decryption of the entire vault.
URLs are encrypted. LastPass does not know your URLs.
I noticed the article does not include the destination URL for this request, only the parameters. So I can't make a determination as to why this request was made and who the destination server is.
I just tried adding a new site to the "Email" folder, and no requests to remote servers showed up in my Network tab.
IF the LastPass extension really does make a call to lastpass.com with this information, then, yes, there is a possibility that Lastpass can track these hashes in some separate store. But that doesn't mean that the encrypted vault blob has the unencrypted data as claimed.