LastPass is arguably the most popular password manager available. Recently, the company announced an update to the password manager with a new interface and features. However, an independent researcher has discovered significant vulnerabilities that can plague the average LastPass user, through phishing.
Security researcher Sean Cassidy at Praesidio, a cloud-based cybersecurity firm, revealed in a blog post with details that showed the ease in which a malicious attacker can steal a user’s credentials and gain access to the target’s account. This includes the user email, password and remarkably, even the two-factor authentication code, which essentially grants the malicious hacker complete access to all passwords, forms and documents stored in the password vault and manager.
Essentially, the exploit is shown in a simple spoof of a popup that is routinely pushed by LastPass, asking users to re-enter their details when their session has expired. When spoofed accurately, “pixel-for-pixel”, as Cassidy puts it, it is practically impossible to tell the difference between the LastPass popup and the malicious popup.
Speaking about his foray into discovering the vulnerability, Cassidy explained:
A few months ago, LastPass displayed a message on my browser that my session had expired and I needed to log in again. I hadn’t used LastPass in a few hours, and hadn’t done anything that would have caused me to be logged out.
When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification
His spoofing attack is now available as public code, called LostPass (to help discern the two), on GitHub.
Cassidy further added that any malicious website that a user visits or is redirected to, could easily draw such a notification. Even seasoned users of LastPass would be unable to tell the difference as the login screen and even the two-factor prompt are drawn into the malicious viewport.
Related article: LastPass was hacked – Change Your Master Password Now
Altogether, Cassidy determined that LastPass was vulnerable to a Cross-Site Request Forgery, or CSRF, a type of attack that is instigated when a malicious website makes use of the visitor’s web browser to initiate an unwanted action. This exploit occurs on trusted websites where users are authenticated.
Once the attacker has the correct username and password (and two-factor token), download all of the victim’s information from the LastPass API.
We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker’s server as a “trusted device”. Anything we want, really.
Image credit: YouTube