LastPass phishing hack could trick users into giving away their password

The word LastPass, next to four asterisks indicating a password

LastPass users could be tricked into giving away their login details, because of a design flaw that has been described as "hard-to-fix and easy-to-exploit".

The flaw, dubbed LostPass', puts users at risk of phishing attacks and is said to be capable of bypassing two-factor authentication, making it a serious security risk.

Sean Cassidy, security researcher and CTO of Praesidio, a cloud-based cybersecurity firm, discovered the flaw, which he has shared in a blog post and discussed at ShmooCon 2016.

LastPass is a widely-used password management service that allows users to store all of their account details and passwords for other services in a secure vault. Users remember just one password and then have access to all their others.

The LostPass attack

By default, LastPass displays messages inside and across users' web browsers. It is these messages that Cassidy said attackers can fake "pixel-for-pixel" to dupe unsuspecting users into giving away their login details.

In Cassidy's words, LastPass "trained users to expect notifications in the browser viewport". Login pages, notifications and account recall prompts all appear as new tabs, pop-ups or banners in users' web browsers. This means hackers could fake these notifications and users would be none the wiser if they visited, or were redirected to, a website containing malicious code.

Once a user visits an attacker's fake LastPass login page, Cassidy said it would it would not be difficult for a hacker to steal user credentials via the LastPass API, even if that user has two-factor authentication enabled.

Because attackers can access LastPass's open API, Cassidy explained: "Once the attacker has the correct username and password (and two-factor token), [they can] download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a trusted device'. Anything we want, really."

A malicious attack that did gain access to a users account could do serious harm, especially if users store master passwords to other services, such as their online banking details, shopping accounts or app store logins.

Such an attack works best in the Google Chrome browser, said Cassidy.

However, LastPass said it has now strengthened its defences against such an attack, such as by requiring all users to certify any new device via their email accounts.

LastPass bypassed

This particular security flaw is both technical and communicative. Even the most discerning user could be fooled by this attack, which requires "no sophisticated knowledge".

Moreover, Cassidy asserted that enabling two-factor authentication actually makes this particular type of attack against LastPass "easier", because LastPass sends an email confirmation when a new IP address attempts to log in by default.

Cassidy said: "This should stop the attack almost entirely, but it doesn't. According to LastPass's documentation, the confirmation email is only sent if you don't have two-factor authentication enabled."

Explaining why he published details of this exploit, Cassidy said: "As soon as I published details of this attack, criminals could make their own version in less than a day. I am publishing this tool so that companies can pen-test themselves to make an informed decision about this attack and respond appropriately.

"This is backwards for most vulnerability disclosures. Most vulnerabilities are easy-to-fix and hard-to-exploit. This is hard-to-fix and easy-to-exploit, so I felt that a tool release was appropriate."

As well as avoiding keeping essential or financially sensitive account information in their LastPass vault, Cassidy recommended that users watch out for in-browser notifications, enable IP restriction (if they pay for its premium service), and disable mobile login.

Cassidy debuted his findings at a conference over the weekend, and LastPass has taken notice. It has published details of its response to Cassidy's phishing attack flaw, which can be read here.

A LastPass spokeswoman told IT Pro: "We have made improvements in response to Cassidy's research and have many layers of protection in place to mitigate this phishing attack notably our verification requirements when an account is being accessed from a new location or device.

Regarding the two-factor authentication loophole specifically, she added: "We have now enabled email verification for all users, including those with two-factor authentication enabled for their account.

"We always recommend that users choose a strong master password that is never used for any other account, and turning on two-factor authentication for additional protection. It's also important to protect your email account with a strong, unique password and two-factor authentication, if your email provider offers it.

"As always, security is our focus here at LastPass. We value the contributions from the research community that help us offer an even more secure service and provide us an opportunity to educate users about security threats."

This is not the first case of a hack that could potentially blow users' LastPass vaults wide open. In June 2015, hackers reportedly made off with user data.

Last November, security researchers Alberto Garcia and Martin Vigo published an account of their own attempts to hack LastPass.

Cassidy has posted the code for his finding to GitHub.

This article was originally published on 18 January 2016 at 12:25. It was updated late that day with a comment from LastPass at 13:50.