January 18, 2016 by

LastPass Is Vulnerable to a Phishing Attack

LastPass is arguably the most popular password manager available. Recently, the company announced an update to the password manager with a new interface and features. However, an independent researcher has discovered significant vulnerabilities that can plague the average LastPass user, through phishing.

Security researcher Sean Cassidy at Praesidio, a cloud-based cybersecurity firm, revealed in a blog post with details that showed the ease in which a malicious attacker can steal a user’s credentials and gain access to the target’s account. This includes the user email, password and remarkably, even the two-factor authentication code, which essentially grants the malicious hacker complete access to all passwords, forms and documents stored in the password vault and manager.

Essentially, the exploit is shown in a simple spoof of a popup that is routinely pushed by LastPass, asking users to re-enter their details when their session has expired. When spoofed accurately, “pixel-for-pixel”, as Cassidy puts it, it is practically impossible to tell the difference between the LastPass popup and the malicious popup.

Speaking about his foray into discovering the vulnerability, Cassidy explained:

A few months ago, LastPass displayed a message on my browser that my session had expired and I needed to log in again. I hadn’t used LastPass in a few hours, and hadn’t done anything that would have caused me to be logged out.

When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification

His spoofing attack is now available as public code, called LostPass (to help discern the two), on GitHub.

Cassidy further added that any malicious website that a user visits or is redirected to, could easily draw such a notification. Even seasoned users of LastPass would be unable to tell the difference as the login screen and even the two-factor prompt are drawn into the malicious viewport.

Related article: LastPass was hacked – Change Your Master Password Now

Altogether, Cassidy determined that LastPass was vulnerable to a Cross-Site Request Forgery, or CSRF, a type of attack that is instigated when a malicious website makes use of the visitor’s web browser to initiate an unwanted action. This exploit occurs on trusted websites where users are authenticated.

Cassidy added:

Once the attacker has the correct username and password (and two-factor token), download all of the victim’s information from the LastPass API.

We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker’s server as a “trusted device”. Anything we want, really.

Image credit: YouTube

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Former Rutgers Student Pleads Guilty to Creating Mirai Botnet

A former Rutgers university student is among three men who pleaded guilty to creating the dreaded...

Read more arrow_forward

Hackers Invade Safety System of Critical Infrastructure Facility

Hackers, presumed to work for a nation-state, recently hacked a safety system belonging to a...

Read more arrow_forward

New Ransomware ‘Spider’ Threatens Wipeout in 96 Hours

A new strain of ransomware discovered by security researchers encrypts files and gives victims a...

Read more arrow_forward