M 520: Stealing Secrets from Lastpass on Android (15 pts extra)

What You Need for This Project

NOTE: This project does not work on the Mac M1.

Purpose

To examine how the LastPass Android app uses RAM. That is, badly.

Installing LastPass

In the Google App store, install Lastpass, as shown below.

Open LastPass.

In the "Welcome to LastPass" screen, click and drag to the left.

In the "Never forget again" screen, click and drag to the left.

On the "Trusted and secure" page, click "SIGN UP", as shown below.

Enter an email address ending in mailinator.com, as shown below, and click Continue.

Enter a master password of CCSF#flip10! twice, as shown below, and click Continue.

Click "GO TO MY VAULT".

An "Autofill with LastPass" box pops up. Click ENABLE.

A screen asks for permissions. Click NEXT.

On the Autofill Service page, click LastPass. Click OK. Click ENABLE. Click NEXT.

In the "Accessibility" page, at the top left, click the back-arrow.

A warning box says your device is rooted. Click OK.

A page pops up saying "On to a faster autofill".

Close it by clicking the X at the top right.

Adding Private Data

On the Passwords page, at the lower right, click +.

Click Payment card", as shown below.

Enter some information, as shown below.

Make a note of the fake credit card number you use.

At the top right, click SAVE.

On the Passwords page, at the lower right, click +.

Click Password.

Add a password, as shown below, and save it.

Logging Out

In LastPass, at the top left, click the three-bar icon.

At the lower left, click Settings.

Scroll to the bottom and click "Log Out", as shown below.

Click "LOG OUT".

LastPass is sitting there, waiting for a password, as shown below.

Getting Fridump

Fridump is a great utility to acquire RAM from the phone.

On your host system, execute these commands: 

git clone https://github.com/Nightbringer21/fridump.git
python3 fridump/fridump.py -h
You see the Fridump help message, as shown below.

Finding the LastPass Process Name

On your host system, execute this command: 
frida-ps -U | grep last
You see the name of the LastPass process, which was com.lastpass.lpandroid when I did it, as shown below.

Dumping Memory from LastPass

Flag M 520.1: Dumping Memory from LastPass (15 pts)

On your host system, execute these commands: 
python3 fridump/fridump.py -U -s com.lastpass.lpandroid
grep -a CCSF# dump/strings.txt
Sometimes the master password is found, as shown below, and sometimes it's not.

The flag is covered by a green rectangle in the image below.

Changing your Master Password

This seems to reliably expose your password in the RAM, more than the actions performed above.

In the LastPass app, log in with your current master password, which is 

CCSF#flip10!
At the top left, click the three-bar icon.

At the bottom, click Settings.

At the top, click "Your LastPass Account".

Click "Account< Settings".

Click "Change Master Password".

Enter the old password and a new password of 

CCSF#flip11!
twice, as shown below.

Click "Save Master Password".

Click OK.

LastPass shows the login page, as shown below.

Dumping the Process Memory

On your host system, execute these commands: 
rm -rf dump
python3 fridump/fridump.py -U -s com.lastpass.lpandroid
grep -a CCSF# dump/strings.txt
Sometimes the old master password is found, as shown below.

Sometimes both the old and new master passwords are found, as shown below.

Posted 11-2-22