LastPass phishing hack could trick users into giving away their password

Exploit capable of bypassing two-factor authentication thanks to open API, but LastPass says it has taken action

LastPass users could be tricked into giving away their login details, because of a design flaw that has been described as "hard-to-fix and easy-to-exploit".

The flaw, dubbed LostPass', puts users at risk of phishing attacks and is said to be capable of bypassing two-factor authentication, making it a serious security risk.

Advertisement - Article continues below

Sean Cassidy, security researcher and CTO of Praesidio, a cloud-based cybersecurity firm, discovered the flaw, which he has shared in a blog post and discussed at ShmooCon 2016.

LastPass is a widely-used password management service that allows users to store all of their account details and passwords for other services in a secure vault. Users remember just one password and then have access to all their others.

The LostPass attack

By default, LastPass displays messages inside and across users' web browsers. It is these messages that Cassidy said attackers can fake "pixel-for-pixel" to dupe unsuspecting users into giving away their login details.

In Cassidy's words, LastPass "trained users to expect notifications in the browser viewport". Login pages, notifications and account recall prompts all appear as new tabs, pop-ups or banners in users' web browsers. This means hackers could fake these notifications and users would be none the wiser if they visited, or were redirected to, a website containing malicious code.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Once a user visits an attacker's fake LastPass login page, Cassidy said it would it would not be difficult for a hacker to steal user credentials via the LastPass API, even if that user has two-factor authentication enabled.

Because attackers can access LastPass's open API, Cassidy explained: "Once the attacker has the correct username and password (and two-factor token), [they can] download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a trusted device'. Anything we want, really."

A malicious attack that did gain access to a users account could do serious harm, especially if users store master passwords to other services, such as their online banking details, shopping accounts or app store logins.

Such an attack works best in the Google Chrome browser, said Cassidy.

However, LastPass said it has now strengthened its defences against such an attack, such as by requiring all users to certify any new device via their email accounts.

Advertisement - Article continues below

LastPass bypassed

This particular security flaw is both technical and communicative. Even the most discerning user could be fooled by this attack, which requires "no sophisticated knowledge".

Moreover, Cassidy asserted that enabling two-factor authentication actually makes this particular type of attack against LastPass "easier", because LastPass sends an email confirmation when a new IP address attempts to log in by default.

Cassidy said: "This should stop the attack almost entirely, but it doesn't. According to LastPass's documentation, the confirmation email is only sent if you don't have two-factor authentication enabled."

Explaining why he published details of this exploit, Cassidy said: "As soon as I published details of this attack, criminals could make their own version in less than a day. I am publishing this tool so that companies can pen-test themselves to make an informed decision about this attack and respond appropriately.

Advertisement
Advertisement - Article continues below

"This is backwards for most vulnerability disclosures. Most vulnerabilities are easy-to-fix and hard-to-exploit. This is hard-to-fix and easy-to-exploit, so I felt that a tool release was appropriate."

Advertisement - Article continues below

As well as avoiding keeping essential or financially sensitive account information in their LastPass vault, Cassidy recommended that users watch out for in-browser notifications, enable IP restriction (if they pay for its premium service), and disable mobile login.

Cassidy debuted his findings at a conference over the weekend, and LastPass has taken notice. It has published details of its response to Cassidy's phishing attack flaw, which can be read here.

A LastPass spokeswoman told IT Pro: "We have made improvements in response to Cassidy's research and have many layers of protection in place to mitigate this phishing attack notably our verification requirements when an account is being accessed from a new location or device.

Regarding the two-factor authentication loophole specifically, she added: "We have now enabled email verification for all users, including those with two-factor authentication enabled for their account.

"We always recommend that users choose a strong master password that is never used for any other account, and turning on two-factor authentication for additional protection. It's also important to protect your email account with a strong, unique password and two-factor authentication, if your email provider offers it.

Advertisement - Article continues below

"As always, security is our focus here at LastPass. We value the contributions from the research community that help us offer an even more secure service and provide us an opportunity to educate users about security threats."

This is not the first case of a hack that could potentially blow users' LastPass vaults wide open. In June 2015, hackers reportedly made off with user data.

Last November, security researchers Alberto Garcia and Martin Vigo published an account of their own attempts to hack LastPass.

Cassidy has posted the code for his finding to GitHub.

This article was originally published on 18 January 2016 at 12:25. It was updated late that day with a comment from LastPass at 13:50.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/data-breaches/355056/vpnmentors-web-mapping-project-finds-more-exposed-military-files-via
data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020
Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020