LastPass Breach - and your SSO

see our previous blog post


On Feb 28th, 2023, new information disclosed by LastPass revealed that users of their organizational product relying on SSO are also at risk.

TL;DR:

  • in order to compromise your vault protected by SSO the attacker needs access to a single employee in your organization
  • if you did not rotate your passwords or followed our other recommendations, now is the time
  • it looks like the only way to do proper key rotation is to “re-federate” your organization, namely, rebuild your SSO data

Background Link to heading

The attackers want access to the encrypted values stored inside the organizational vaults. To achieve that, they would need to succeed in the following steps:

  1. gain access to the vaults - DONE
  2. copy the vaults for offline access - DONE
  3. get the K2 values - DONE
  4. get the K1 value -?
  5. gain access to the master password encrypting the vault
    1. the master password is protected by splitting the secret between two separate keys
    2. K1 is a company-wide secret
    3. K2 is the user-generated secret, and it is stored at the LastPass backend
  6. matching a specific vault with a specific master password

The attacker’s goal was to have both K1 and K2, as this would provide them with the master password and the ability to decrypt organizational vaults.

To get the master password, the attacker would need to perform a hash on their values:

masterPassword := Sha256(K1 xor K2)

K2 Link to heading

K2 is stored at LastPass and fetched via an API request using an id_token signed by your SSO provider.

The attackers compromised one of the LastPass DevOps team’s home environments, which allowed them to extract an important set of secret keys named K2.

The attackers have these sets of values now

K1 Link to heading

K1 is the company-wide secret (not per user) and is stored in the JWT of the SSO. This means that whenever an organization member performs SSO authentication, he gets the K1 value in the JWT used for authentication.

This K1 value is the same for all members of the organization

The attacker now needs to target any employee of that organization and steal his K1 value. as this value does not change, it does not matter which employee to capture it from; they only need to succeed once.

Matching Vaults to Organizations Link to heading

The last piece is to be able to match a vault (which they already stole) and the K2 value (which they now have) and to target any user that belongs to the same organization as the vault.

You would assume that matching these would be problematic - but the organization name and other data are not encrypted in the vault.

Recommendations Link to heading

At this time, it looks like the only way to rotate K1 values is to “re-federate” your organization with your provider which is undoubtedly a challenging process.