LastPass phishing hack could trick users into giving away their password

Exploit capable of bypassing two-factor authentication thanks to open API, but LastPass says it has taken action

LastPass users could be tricked into giving away their login details, because of a design flaw that has been described as "hard-to-fix and easy-to-exploit".

The flaw, dubbed LostPass', puts users at risk of phishing attacks and is said to be capable of bypassing two-factor authentication, making it a serious security risk.

Advertisement - Article continues below

Sean Cassidy, security researcher and CTO of Praesidio, a cloud-based cybersecurity firm, discovered the flaw, which he has shared in a blog post and discussed at ShmooCon 2016.

LastPass is a widely-used password management service that allows users to store all of their account details and passwords for other services in a secure vault. Users remember just one password and then have access to all their others.

The LostPass attack

By default, LastPass displays messages inside and across users' web browsers. It is these messages that Cassidy said attackers can fake "pixel-for-pixel" to dupe unsuspecting users into giving away their login details.

In Cassidy's words, LastPass "trained users to expect notifications in the browser viewport". Login pages, notifications and account recall prompts all appear as new tabs, pop-ups or banners in users' web browsers. This means hackers could fake these notifications and users would be none the wiser if they visited, or were redirected to, a website containing malicious code.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Once a user visits an attacker's fake LastPass login page, Cassidy said it would it would not be difficult for a hacker to steal user credentials via the LastPass API, even if that user has two-factor authentication enabled.

Because attackers can access LastPass's open API, Cassidy explained: "Once the attacker has the correct username and password (and two-factor token), [they can] download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a trusted device'. Anything we want, really."

A malicious attack that did gain access to a users account could do serious harm, especially if users store master passwords to other services, such as their online banking details, shopping accounts or app store logins.

Such an attack works best in the Google Chrome browser, said Cassidy.

However, LastPass said it has now strengthened its defences against such an attack, such as by requiring all users to certify any new device via their email accounts.

Advertisement - Article continues below

LastPass bypassed

This particular security flaw is both technical and communicative. Even the most discerning user could be fooled by this attack, which requires "no sophisticated knowledge".

Moreover, Cassidy asserted that enabling two-factor authentication actually makes this particular type of attack against LastPass "easier", because LastPass sends an email confirmation when a new IP address attempts to log in by default.

Cassidy said: "This should stop the attack almost entirely, but it doesn't. According to LastPass's documentation, the confirmation email is only sent if you don't have two-factor authentication enabled."

Explaining why he published details of this exploit, Cassidy said: "As soon as I published details of this attack, criminals could make their own version in less than a day. I am publishing this tool so that companies can pen-test themselves to make an informed decision about this attack and respond appropriately.

Advertisement
Advertisement - Article continues below

"This is backwards for most vulnerability disclosures. Most vulnerabilities are easy-to-fix and hard-to-exploit. This is hard-to-fix and easy-to-exploit, so I felt that a tool release was appropriate."

Advertisement - Article continues below

As well as avoiding keeping essential or financially sensitive account information in their LastPass vault, Cassidy recommended that users watch out for in-browser notifications, enable IP restriction (if they pay for its premium service), and disable mobile login.

Cassidy debuted his findings at a conference over the weekend, and LastPass has taken notice. It has published details of its response to Cassidy's phishing attack flaw, which can be read here.

A LastPass spokeswoman told IT Pro: "We have made improvements in response to Cassidy's research and have many layers of protection in place to mitigate this phishing attack notably our verification requirements when an account is being accessed from a new location or device.

Regarding the two-factor authentication loophole specifically, she added: "We have now enabled email verification for all users, including those with two-factor authentication enabled for their account.

"We always recommend that users choose a strong master password that is never used for any other account, and turning on two-factor authentication for additional protection. It's also important to protect your email account with a strong, unique password and two-factor authentication, if your email provider offers it.

Advertisement - Article continues below

"As always, security is our focus here at LastPass. We value the contributions from the research community that help us offer an even more secure service and provide us an opportunity to educate users about security threats."

This is not the first case of a hack that could potentially blow users' LastPass vaults wide open. In June 2015, hackers reportedly made off with user data.

Last November, security researchers Alberto Garcia and Martin Vigo published an account of their own attempts to hack LastPass.

Cassidy has posted the code for his finding to GitHub.

This article was originally published on 18 January 2016 at 12:25. It was updated late that day with a comment from LastPass at 13:50.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/ethical-hacking/355860/developer-scores-100000-bounty-from-apple-for-exposing-a-critical
ethical hacking

Developer scores $100,000 bounty from Apple for exposing a critical vulnerability

1 Jun 2020
Visit/security/hacking/355854/hackers-wreaking-havoc-on-googles-cloud-infrastructure
hacking

Hackers are wreaking havoc on Google’s Cloud infrastructure

1 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/security/phishing/355810/zloader-malware-returns-as-a-coronavirus-phishing-scam
phishing

ZLoader malware returns as a coronavirus phishing scam

27 May 2020

Most Popular

Visit/server-storage/network-attached-storage-nas/355849/western-digital-sneaked-inferior-smr-tech-into
network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020