LastPass phishing hack could trick users into giving away their password

Exploit capable of bypassing two-factor authentication thanks to open API, but LastPass says it has taken action

LastPass users could be tricked into giving away their login details, because of a design flaw that has been described as "hard-to-fix and easy-to-exploit".

The flaw, dubbed LostPass', puts users at risk of phishing attacks and is said to be capable of bypassing two-factor authentication, making it a serious security risk.

Sean Cassidy, security researcher and CTO of Praesidio, a cloud-based cybersecurity firm, discovered the flaw, which he has shared in a blog post and discussed at ShmooCon 2016.

LastPass is a widely-used password management service that allows users to store all of their account details and passwords for other services in a secure vault. Users remember just one password and then have access to all their others.

The LostPass attack

By default, LastPass displays messages inside and across users' web browsers. It is these messages that Cassidy said attackers can fake "pixel-for-pixel" to dupe unsuspecting users into giving away their login details.

In Cassidy's words, LastPass "trained users to expect notifications in the browser viewport". Login pages, notifications and account recall prompts all appear as new tabs, pop-ups or banners in users' web browsers. This means hackers could fake these notifications and users would be none the wiser if they visited, or were redirected to, a website containing malicious code.

Once a user visits an attacker's fake LastPass login page, Cassidy said it would it would not be difficult for a hacker to steal user credentials via the LastPass API, even if that user has two-factor authentication enabled.

Because attackers can access LastPass's open API, Cassidy explained: "Once the attacker has the correct username and password (and two-factor token), [they can] download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a trusted device'. Anything we want, really."

A malicious attack that did gain access to a users account could do serious harm, especially if users store master passwords to other services, such as their online banking details, shopping accounts or app store logins.

Such an attack works best in the Google Chrome browser, said Cassidy.

However, LastPass said it has now strengthened its defences against such an attack, such as by requiring all users to certify any new device via their email accounts.

LastPass bypassed

This particular security flaw is both technical and communicative. Even the most discerning user could be fooled by this attack, which requires "no sophisticated knowledge".

Moreover, Cassidy asserted that enabling two-factor authentication actually makes this particular type of attack against LastPass "easier", because LastPass sends an email confirmation when a new IP address attempts to log in by default.

Cassidy said: "This should stop the attack almost entirely, but it doesn't. According to LastPass's documentation, the confirmation email is only sent if you don't have two-factor authentication enabled."

Explaining why he published details of this exploit, Cassidy said: "As soon as I published details of this attack, criminals could make their own version in less than a day. I am publishing this tool so that companies can pen-test themselves to make an informed decision about this attack and respond appropriately.

"This is backwards for most vulnerability disclosures. Most vulnerabilities are easy-to-fix and hard-to-exploit. This is hard-to-fix and easy-to-exploit, so I felt that a tool release was appropriate."

As well as avoiding keeping essential or financially sensitive account information in their LastPass vault, Cassidy recommended that users watch out for in-browser notifications, enable IP restriction (if they pay for its premium service), and disable mobile login.

Cassidy debuted his findings at a conference over the weekend, and LastPass has taken notice. It has published details of its response to Cassidy's phishing attack flaw, which can be read here.

A LastPass spokeswoman told IT Pro: "We have made improvements in response to Cassidy's research and have many layers of protection in place to mitigate this phishing attack notably our verification requirements when an account is being accessed from a new location or device.

Regarding the two-factor authentication loophole specifically, she added: "We have now enabled email verification for all users, including those with two-factor authentication enabled for their account.

"We always recommend that users choose a strong master password that is never used for any other account, and turning on two-factor authentication for additional protection. It's also important to protect your email account with a strong, unique password and two-factor authentication, if your email provider offers it.

"As always, security is our focus here at LastPass. We value the contributions from the research community that help us offer an even more secure service and provide us an opportunity to educate users about security threats."

This is not the first case of a hack that could potentially blow users' LastPass vaults wide open. In June 2015, hackers reportedly made off with user data.

Last November, security researchers Alberto Garcia and Martin Vigo published an account of their own attempts to hack LastPass.

Cassidy has posted the code for his finding to GitHub.

This article was originally published on 18 January 2016 at 12:25. It was updated late that day with a comment from LastPass at 13:50.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021