A security flaw in the popular single-sign-on (SSO) and password management service LastPass could allow a bad actor conducting a phishing attack to fully compromise user accounts, researcher Sean Cassidy has discovered.
The attack is possible by creating a fake notification appearing to be LastPass displaying a message in a browser informing the user that the session has expired and that they must login again.
In a blog post, Cassidy explains that he created an attack tool dubbed LostPass, which could allow an attacker to steal user email addresses, passwords, and even two-factor authentication codes. Bad actors using this attack could easily gain access to all of a user’s passwords and documents stored in LastPass, because users would not be able to distinguish between a real notification and a fake one.
For the attack to be successful, a cybercriminal needs to redirect the victim to a malicious website or to a site vulnerable to Cross-Site Scripting (XSS), in order to deploy a js file to their devices (lostpass.js). Next, the attacker would check the device for LastPass installation and would display the login expired notification.
Due to the fact that LastPass is vulnerable to a logout cross-site request forgery (CSRF) flaw, the attacker is also able to log the user out of LastPass, which would trick the user into believing that the notification is real. As soon as the victim clicks on the banner, the attacker would redirect them to an attacker-controlled login page that looks identical to the LastPass one.
Next, the user would enter the password and send the credentials to the attacker’s server, and they can check if the information is correct by calling LastPass's API, which will also inform whether two-factor authentication is required. If the information is not correct, the user will be redirected back to the malicious website, with the notification displaying an "Invalid Password" message.
Should the user have two-factor authentication enabled, the page would redirect them to a two-factor prompt. Armed with the victim’s username, password, and two-factor authentication, the attacker could download all of the victim’s information from the LastPass API and can even install a backdoor in their account, disable the two-factor authentication, or add the attacker’s server as a trusted device.
According to the researcher, the attack works best against Chrome because the browser uses an HTML login page, while Firefox pops up a window for the login page, which would look like the operating system the user runs. He also explains that the attack has been specifically developed to work against LastPass 4.0, though it does not include version detection functions.
Cassidy also notes that the attack is even easier to perform if two-factor authentication is enabled, as LastPass by default sends a confirmation email only if the option is not enabled. Since the LostPass attack was designed to phish for the two-factor auth code as well, the email confirmation step is completely bypassed.
LastPass users can check if they have been attacked by heading to their LastPass Account History and looking at the login attempts and the IP addresses they was done from. They should also ignore notifications in the browser window, enable IP restrictions (available on paid plans), disable mobile logins, log all logins and failures, and inform employees of this potential attack.
The researcher also notes that LastPass was informed of the issue in November, and that they acknowledged it in December, but suggested it was only a phishing attack, and not a vulnerability. Additionally, Cassidy explains that the flaw is easy to exploit but very difficult to patch, and that his LostPass tool is meant to provide companies with the necessary means to pen-test themselves.
LastPass took steps to remediate the issue by warning users when they type in their master password into some website, but the notification is still displayed in the browser viewport, like all other messages. This means that an attacker-controlled website can detect when the notification is added and that the attacker could suppress it and could fire off a request to an attacker server to log the master password.
Cassidy noted on Monday morning that LastPass has apparently taken some additional security measures, and now requires email confirmation for all logins from new IPs.
“This substantially mitigates LostPass, but does not eliminate it,” Cassidy said.
Browser makers can also take steps to prevent the attack, Cassidy says. In Chrome, the attack is based on spoofing the “chrome-extension” protocol by bringing the domain “chrome-extension.pw,” which looks close enough to the Chrome protocol for real extensions. The researcher also notes that there is an open issue in Chromium to address this.
To exploit the issue in Firefox, the researcher had to draw each OS's native widget manually using HTML and CSS, which made his work a bit more difficult. However, the result is very close to reality, and even savvy users would have difficulties spotting the fake notification.
In November at the Black Hat Europe security conference, Salesforce researchers Alberto Garcia Illera and Martin Vigo disclosed a series of bugs and design flaws in LastPass and explained how they could have been exploited to attack the service via various vectors. LastPass has addressed most of the issues shortly after the experts informed them on the matter.
In October 2015, LogMeIn announced that it would acquire LastPass for $125 million in cash. Estimated to have millions of users, LastPass was said to be available alongside Meldium, the cloud-based single-sign-on (SSO), password management, and identity and access management (IAM) solutions startup that LogMeIn acquired in September 2014.