LastPass phishing hack could trick users into giving away their password

Exploit capable of bypassing two-factor authentication thanks to open API, but LastPass says it has taken action

LastPass users could be tricked into giving away their login details, because of a design flaw that has been described as "hard-to-fix and easy-to-exploit".

The flaw, dubbed LostPass', puts users at risk of phishing attacks and is said to be capable of bypassing two-factor authentication, making it a serious security risk.

Sean Cassidy, security researcher and CTO of Praesidio, a cloud-based cybersecurity firm, discovered the flaw, which he has shared in a blog post and discussed at ShmooCon 2016.

LastPass is a widely-used password management service that allows users to store all of their account details and passwords for other services in a secure vault. Users remember just one password and then have access to all their others.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The LostPass attack

By default, LastPass displays messages inside and across users' web browsers. It is these messages that Cassidy said attackers can fake "pixel-for-pixel" to dupe unsuspecting users into giving away their login details.

In Cassidy's words, LastPass "trained users to expect notifications in the browser viewport". Login pages, notifications and account recall prompts all appear as new tabs, pop-ups or banners in users' web browsers. This means hackers could fake these notifications and users would be none the wiser if they visited, or were redirected to, a website containing malicious code.

Once a user visits an attacker's fake LastPass login page, Cassidy said it would it would not be difficult for a hacker to steal user credentials via the LastPass API, even if that user has two-factor authentication enabled.

Because attackers can access LastPass's open API, Cassidy explained: "Once the attacker has the correct username and password (and two-factor token), [they can] download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a trusted device'. Anything we want, really."

A malicious attack that did gain access to a users account could do serious harm, especially if users store master passwords to other services, such as their online banking details, shopping accounts or app store logins.

Advertisement - Article continues below

Such an attack works best in the Google Chrome browser, said Cassidy.

However, LastPass said it has now strengthened its defences against such an attack, such as by requiring all users to certify any new device via their email accounts.

LastPass bypassed

This particular security flaw is both technical and communicative. Even the most discerning user could be fooled by this attack, which requires "no sophisticated knowledge".

Advertisement
Advertisement - Article continues below

Moreover, Cassidy asserted that enabling two-factor authentication actually makes this particular type of attack against LastPass "easier", because LastPass sends an email confirmation when a new IP address attempts to log in by default.

Cassidy said: "This should stop the attack almost entirely, but it doesn't. According to LastPass's documentation, the confirmation email is only sent if you don't have two-factor authentication enabled."

Advertisement - Article continues below

Explaining why he published details of this exploit, Cassidy said: "As soon as I published details of this attack, criminals could make their own version in less than a day. I am publishing this tool so that companies can pen-test themselves to make an informed decision about this attack and respond appropriately.

"This is backwards for most vulnerability disclosures. Most vulnerabilities are easy-to-fix and hard-to-exploit. This is hard-to-fix and easy-to-exploit, so I felt that a tool release was appropriate."

As well as avoiding keeping essential or financially sensitive account information in their LastPass vault, Cassidy recommended that users watch out for in-browser notifications, enable IP restriction (if they pay for its premium service), and disable mobile login.

Cassidy debuted his findings at a conference over the weekend, and LastPass has taken notice. It has published details of its response to Cassidy's phishing attack flaw, which can be read here.

A LastPass spokeswoman told IT Pro: "We have made improvements in response to Cassidy's research and have many layers of protection in place to mitigate this phishing attack notably our verification requirements when an account is being accessed from a new location or device.

Regarding the two-factor authentication loophole specifically, she added: "We have now enabled email verification for all users, including those with two-factor authentication enabled for their account.

Advertisement - Article continues below

"We always recommend that users choose a strong master password that is never used for any other account, and turning on two-factor authentication for additional protection. It's also important to protect your email account with a strong, unique password and two-factor authentication, if your email provider offers it.

"As always, security is our focus here at LastPass. We value the contributions from the research community that help us offer an even more secure service and provide us an opportunity to educate users about security threats."

Advertisement
Advertisement - Article continues below

This is not the first case of a hack that could potentially blow users' LastPass vaults wide open. In June 2015, hackers reportedly made off with user data.

Last November, security researchers Alberto Garcia and Martin Vigo published an account of their own attempts to hack LastPass.

Cassidy has posted the code for his finding to GitHub.

This article was originally published on 18 January 2016 at 12:25. It was updated late that day with a comment from LastPass at 13:50.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020