Password managers are intended to make life easier and safer for consumers, but researchers from Salesforce have discovered a way to crack LastPass and this could mean other similar services are also vulnerable.
The IBM Security Intelligence blog noted that Martin Vigo and Alberto Garcia, both Salesforece engineers, used a variety of methods to get around LastPass’s walls.
“The goal here was to reverse engineer the browser plugins, analyze all the files stored in the system and see if we could obtain the key that decrypts the vault,” Vigo wrote in a recent blog.
The pair used cleartext password recovery, targeting specific cookies, bypassing two-factor authentication and they discovered a series of design flaws that allow entry.
When informed of the issues LastPass fixed the problems, but Vigo noted that “There is no bug-free software and any future research on other password managers would likely have similar results.”