LastPass has taken measures to mitigate a phishing attack described this weekend at ShmooCon that put at risk users’ credentials and information stored by the password manager.
Researcher Sean Cassidy, chief technology officer of cloud security company Praesidio, demonstrated an attack where he was able to recreate a LastPass login page, pixel-for-pixel as he said. Cassidy’s LostPass attack starts with a phishing email redirecting a victim to a hacker’s page hosting the phony login. The hacker’s notification page tells the user they’ve been logged out of LastPass and convinces them to enter their password, two-factor authentication information and more. With the user’s credentials, an attacker could have access to the victim’s passwords and any documents stored in LastPass.
The company, following Cassidy’s presentation Saturday at the Washington, D.C. hacker conference, has made email verification a default requirement when accounts are being accessed from new locations or devices.
“It does mitigate my attack,” Cassidy today told Threatpost. Cassidy said that LastPass’ use of two-factor authentication simplified his attack because previously, a confirmation email was only if the user did not have two-factor authentication enabled. Cassidy said because the LostPass attack phishes users for their two-factor authentication data, the email confirmation was sidestepped.
“Before, if you had two-factor authentication enabled, two-factor made you less secure,” Cassidy said. “Requiring email confirmation is a step in the right direction.”
A LastPass representative said email verification for new locations and devices was turned on as a default in mid-2015.
“At the time, however, we allowed users with two-factor authentication to bypass the verification step, since these users already had additional protection enabled for their LastPass account,” LastPass’ representative said. “However, in response to Cassidy’s research, we have now made it the default for all users, including those with two-factor authentication enabled.”
Cassidy has released a tool that he said organizations can use to test against his attack. He said he found the vulnerability in October and privately disclosed it in November to LastPass. The two sides, however, had some disagreement over the issue, with LastPass treating it as a phishing attack and not a vulnerability in the product.
“I’m glad LastPass is addressing this, but it took until I went public for it to happen,” Cassidy said. “This is a good example of going public prompting people to start fixing security. I don’t think the industry in general responds well to phishing compared to broader software security issues.”
The key to LostPass’ success is the LastPass message that is displayed in the browser viewport; it’s simple to reproduce, Cassidy said, in particular on Google Chrome.
“Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser,” Cassidy wrote on his website. “The LastPass login screen and two-factor prompt are drawn in the viewport as well.”
The attacker uses a phishing email to get the victim to visit a website hosting the attack or a legitimate site vulnerable to cross-site scripting. If LastPass is running on the victim’s machine, the user will see a notification that their login has expired. The attacker’s notification includes a banner directing them to a phony login page requesting the user’s credentials. The attacker’s server calls the LastPass API checking the credentials and whether two-factor authentication is turned on. If so, the victim will be served another page prompting them for their second credential.
LastPass said that it is rethinking its reliance on the browser viewport for notifications and is working on options to bypass it and avoid similar phishing attacks. It also reiterated a plea made to Google provide a way to avoid using viewport for notifications in Chrome.
“As far as phishing attacks, this is the worst possible scenario,” Cassidy said. “An attacker doesn’t just have access to a website, but they have all the passwords, credit card numbers and documents stored in there. LastPass’ core value is that all your secrets are in one place and we protect them. They’re not doing that. It’s hard to think phishing has effects more severe than this.”