lpass login returns 'unknown' - iterations.php behavior changed #604
Comments
|
I am getting the same error on a 2015 MacBookPro with MacOS 10.14 (Mojave), so it appears it is a |
|
Several people where I work are running into this on Ubuntu 20.04 as well. |
|
I traced through the code and I think the problem is that iterations.php on the server is broken. The steps I see are:
If I hack up cmd-login.c to hard-code iterations to 5000 I'm able to log in: diff --git a/cmd-login.c b/cmd-login.c
index 27b2272..8e46232 100644
--- a/cmd-login.c
+++ b/cmd-login.c
@@ -96,6 +96,8 @@ int cmd_login(int argc, char **argv)
username = argv[optind];
iterations = lastpass_iterations(username);
+ printf("Server says %d iterations\n", iterations);
+ iterations = 5000;
if (!iterations)
die("Unable to fetch iteration count. Check your internet connection and be sure your username is valid.");I'm not sure if this is the same for everyone, so to find this number you'll need to improve the error response handling: diff --git a/xml.c b/xml.c
index 5961244..fecbde6 100644
--- a/xml.c
+++ b/xml.c
@@ -154,7 +154,9 @@ out:
if (doc)
xmlFreeDoc(doc);
if (!result)
- result = xstrdup("unknown");
+ xasprintf(&result, "unknown XML error: %s", buf);
+ if (!result)
+ result = xstrdup("unknown xml_error_cause");
return result;
} |
|
Something weird is going on with iterations.php. If I click this link in my browser: https://lastpass.com/iterations.php?email=me@example.com it says 5000, but if I do |
I get the same results for my email and it's entirely (and poorly) UserAgent based. If I run curl and specify a UserAgent, I'm able to get back 5000 or 100100 depending on how 'valid' the user agent string is: |
|
I'm trying to set the user agent in |
|
Ah I think this is the other fun part: |
|
Ah cool, so the user agent lpass uses is fine, it's entirely the GET issue. I think this is the fix: (I have no idea if this introduces a memory leak or not 🤷 ) |
|
Hmm. With that code in place, lpass segfaults for me now. |
|
Well that's fun.. :\ I hardly ever write C so it's possible I'm doing something wrong here but I don't know what it is since it works for me. |
My guess is it's library related ... I'll keep poking at it on my end to see whether I can get it to work on my M1 |
|
I realized I had re-pulled the repo but not re-implemented the fixes for homebrew in #513 . After fixing CMakeLists.txt for Homebrew, it compiled and runs fine. The elimination of POST in iterations.php is annoying though. |
|
I can confirm that the pull request above works for me on MacOS 10.14 (Mojave) on an MacBookPro 2015 using brew. I was able to do this as follows: Used https://www.ralfebert.de/snippets/brew-apply-patch-to-package-formula/ as a guide for the above. Thank you all for running this down and providing at a work-in-progress fix, I can at least use LastPass from the command line again! |
Got this error with patched version. |
|
I can confirm the steps for patching by @rkirkpat works for me too on MacBook Air (M1, 2020) using Big Sur 11.3.1 (20E241) |
|
Hi everyone. I maintain a library that allows access to LastPass and other PMs. I noticed this issue as well. After some testing I see that the In order to fix this issue, you'd need to login with the default value and parse the result and re-hash the password and re-login with the correct value returned from the server. This is how I fixed in my library and it's tested and it works: |
Where do you set this value? |
|
Vault -> Account Settings -> General -> Show Advanced Settings -> Password Iterations
|
|
I can confirm that the patch submitted by @brendanlong continues to function properly even if you update the number of iterations to something other than 5000 or 100100. |
|
@mjbroekman Could you remove "MacBook Air M1 - " from the title of this issue since it happens elsewhere as well? :) |
mjbroekman
changed the title
|
I got this error as well with the patched version using the method from @rkirkpat (#604 (comment)):
But just changing my settings to a higher number like 200000 did not work. It only worked with changing my account settings to exactly 100100: Thanks all for the help! |
I had issues building the branch in #605 because of the issue in #532 . I rebased #605 over #532 (manually) and could build but the the patched Now after reading the above comment by @millerdrew I just went into settings and changed Password Iterations to @millerdrew could you test with your old unpatched lpass and see if that works for you? That would mean we have a rather solid non-intrusive workaround until this is fixed proper. 1: "regular lpass" here means whatever version of |
|
Hm I'm not sure why even with my patch sometimes the iterations.php result is wrong. A better solution would probably be to call login.php and use the It looks like for most people the simplest workaround is to set your password iterations to 100100 though. I'll be doing that myself. |
|
I updated my patch in #605 to use login.php to get the iteration count since hopefully that's more stable. I recommend that most people just update their password iterations to 100100 though (and probably a worthwhile security improvement on its own if yours is set to 5000). |
|
@mattiasb I uninstalled lastpass-cli, and reinstalled without patching and I can confirm that it works now that my password iterations is set to 100100. |
|
@mjbroekman could you append the following to your question (so that it's easily and immediately accessible to people coming here from the interwebs): ## Workaround
A workaround is to:
1. Open `Account Settings` in your browser (`Open My Vault` → `Account Settings`)
2. Press `Show Advanced Settings`
3. Set `General → Security → Password Iterations` to *exactly* `100100`
LastPass will ask for your Master password and re-encrypt your vault. After that using `lpass` *should* work again. |
|
@mjbroekman thanks! ❤️ |
|
@brendanlong thank you for the fix! I applied the patch per @rkirkpat's splendid patching tips. |
Closes #44 As reported in lastpass/lastpass-cli#604, on 18 May 2021 behaviour changed in LastPass servers. Prior to that date, password iteration != 100100 was supported by this lib by first POSTing to the /iterations.php endpoint to get the correct iterations count. This commit fixes the broken /iterations.php behaviour as explained in detunized/password-manager-access@bd2e31d#diff-708eab38b171b2961f6da413413fd63d1cff3d5fceda920289959678be35a184R51-R58: "We no longer request the iteration count from the server in a separate request because it started to fail in weird ways. It seems there's a special combination of the User Agent and cookies that returns the correct result. And that is not 100% reliable. After two or three attempts it starts to fail again with an incorrect result. So we just went back a few years to the original way LastPass used to handle the iterations. Namely, submit the default value and if it fails, the error would contain the correct value: <response><error iterations="5000" /></response>" So, we first try to login with the default 100100 iterations. If it fails, we try to login again with the iterations from the error message.
|
@efx @brendanlong just trying to find out what the status of this issue is? Are we suppose to continue with the workaround |
lastpass#604 (comment) Signed-off-by: Wesley Schwengle <wesley@opperschaap.net>
I am wondering the same. Have they dropped support for this? |
|
I have run into this problem today, I've only just found this thread so I'll be trying the workaround. My version of lastpass-cli according to ETA: Changing the number to 100100 let me login. |
|
Still an issue as of today. Thankfully, the workaround of updating password iterations to 100100 still succeeds. |
|
Still hitting this issue as of today -- the workaround still works but strangely the problem was intermittent (as in I wasn't getting this error until a few days ago and then it suddenly hit) |
|
LastPass was having issues yesterday for a couple of hours during which it was impossible to access objects in your vaults. |
- leaks data - does not correctly return the number of pbkdf2 iterations on the vault - use environment-sensitive See: lastpass#604
|
Hello, yesterday night I started to have the issue logging in to LastPass even my password is correct but using biometric in my iPhone is working fine. By following conversation above, I don't see 'Password Iterations' option at all in LastPass UI in browser. What should I do? |
|
Go to "Account Settings", click "Advanced", scroll down to the "Security" section, then look for "Password Iterations". |
lastpass#604 (comment) Signed-off-by: Wesley Schwengle <wesley@opperschaap.net>
|
Has this been fixed yet? I hit this issue today, having recently updated my iterations to 2000000. Switching to 100100 got it working again. |
|
Is the LastPass CLI still considered a supported feature? In light of the fact that 100100 iterations is no longer considered sufficiently high, LastPass needs to resolve this issue one way or the other: enable CLI users to set iterations > 100100; or deprecate the CLI feature. |
|
Looks like May 1 2023 will be when this version of the CLI ceases to work correctly (unless they make required changes before then):
|
|
@0xdevalias - where did you see this announcement? I've not seen it anywhere. I wonder if it's specific to your company's settings (assuming you're using a business edition/account). |
|
@lukens According to the Apr 28, 2023 LastPass Security Bulletin at https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/security-bulletin-recommended-actions-free-premium-families.html&_LANG=enus:
|
|
@lukens That was in the LastPass desktop client, personal account, nothing to do with business/org accounts. |
- leaks data - does not correctly return the number of pbkdf2 iterations on the vault - use environment-sensitive See: lastpass#604
|
LastPass just notified me that it had changed the iterations on my "business user" account to 600,000. I confirmed in the advanced account settings area. I am still able to login and access secrets from the LastPass CLI (v1.3.7 on FreeBSD and on macOS via MacPorts). Whew! |
Yesterday, I was using lastpass-cli (via Homebrew) fine, but this morning when I attempt to log in via
lpass login <username>, I get the message "unknown" and prompted for the master password again.I am able to log in to both the browser extension and the website, so I know my credentials are correct. The only place I see 'unknown' that would be applicable to logging in is in the xml_error_cause function in xml.c, which gets called from endpoints-login.c
I also attempted to compile from the repo here and, following all the applicable steps for M1 and Homebrew, I get the same result.
Workaround
A workaround is to:
Account Settingsin your browser (Open My Vault→Account Settings)Show Advanced SettingsGeneral → Security → Password Iterationsto exactly100100LastPass will ask for your Master password and re-encrypt your vault. After that using
lpassshould work again.The text was updated successfully, but these errors were encountered: