Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?


Data Protection

Flaws Allowed Hackers to Bypass LastPass 2FA

LastPass vulnerabilities

LastPass vulnerabilities

Design flaws in LastPass’ implementation of two-factor authentication (2FA) could have been exploited by hackers to bypass the protection mechanism and gain access to user accounts.

Martin Vigo, one of the Salesforce researchers who in November 2015 reported finding several vulnerabilities in LastPass, has once again analyzed the popular password manager, particularly its 2FA mechanism.

The temporary 2FA codes are generated based on several variables, including a secret seed which is typically encoded in a QR code that the user scans with a 2FA app such as Google Authenticator.

Vigo’s tests showed that the request made when a QR code image was displayed to the user contained the login hash used by LastPass for authentication. In fact, the 2FA secret seed had been derived from the user’s password, which defeated the entire purpose of 2FA protection as the attacker presumably already possesses the password.

While determining the URL of the QR code was not difficult, a hacker needed to be authenticated for the attack to work. However, exploiting a cross-site request forgery (CSRF) vulnerability could address this problem. Getting a logged-in user to click on a specially crafted link that exploits a CSRF flaw could have allowed an attacker to obtain the QR code image.

According to Vigo, an attacker could have also leveraged cross-site scripting (XSS) vulnerabilities on popular websites to avoid having the victim visit his malicious site, which would be more likely to raise suspicion.

The researcher also found a simple way to disable 2FA using a CSRF vulnerability. As with all CSRF attacks, the hacker needed to get the victim to visit a malicious website.

LastPass was informed about these vulnerabilities on February 7 and immediately started working on patches. The company addressed the CSRF flaws, added a security mechanism for checking the origin of a QR code request, and eliminated the use of password hashes for the secret seed.

Advertisement. Scroll to continue reading.

In a blog post published on Thursday, LastPass informed users that they don’t need to take any action as all the fixes have been done on the server side. The company also pointed out that exploiting the flaws required a combination of factors that made attacks more difficult.

“To exploit this issue an attacker would have needed to take several steps to bypass Google Authenticator,” LastPass said. “First, the attacker would have had to lure a user to a nefarious website. Second, the user would have to be logged in to LastPass at the time of visiting the malicious site.”

Vigo’s disclosure comes shortly after Google Project Zero researcher Tavis Ormandy reported finding several vulnerabilities in the LastPass browser extensions.

Related: LastPass Flaws Allow Hackers to Steal Passwords

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Anirban Sengupta has been named the CTO and SVP of Engineering of cloud networking and security firm Aviatrix.

Axonius has named Nick Degnan as its first Chief Revenue Officer and Rob Casselman as its first Chief Customer Officer.

Craig Boundy has left Experian to join McAfee as President and CEO.

More People On The Move

Expert Insights