Security researcher devises method of stealing LastPass login details using browser notifications and API
A security researcher has cast doubt on the security of password-management website LastPass by claiming he has discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.
‘LostPass’, as CTO for Praesidio Sean Cassidy describes it, works by mimicking the ‘session expired’ notifications served up by LastPass in a user’s browser. He argued that users are trained to accept these notifications and normal and therefore their guard might be down when visiting a website.
“LostPass works because LastPass displays messages in the browser that attackers can fake,” he said. “Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and login screen.”
“Any malicious website could have drawn [such a] notification,” he said. “Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well.
“Since LastPass has an API that can be accessed remotely, an attack materialised in my mind.”
Cassidy’s method involves getting a victim to visit a malicious website that appears genuine, or a real website susceptible to cross-site scripting (XSS), and detect whether the visitor is running LastPass. If they are, a fake notification is issued to make it appear as though the user has genuinely been logged out.
Let’s go phishing
If clicked, the user is sent to a fake log-in page, where they are prompted to enter their credentials. These credentials are sent to the attacker’s server and verified by using the LastPass API. If the details are incorrect, users might even be sent a two-factor authentication prompt.
“Once the attacker has the correct username and password (and two-factor token), download all of the victim’s information from the LastPass API,” continued Cassidy. “We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker’s server as a ‘trusted device’. Anything we want, really.”
Cassidy defended the decision to publish his method on Github, arguing that LastPass users would benefit. He said he notified LastPass in November, and had not been satisfied by their response.
“We as an industry do not respond to phishing attacks well,” said Cassidy. “I do not blame LastPass for this, they are like everyone else. We need to take a long look at phishing and figure out what to do about it. In my view, it’s just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such.”
The discovery raises fresh concerns about the security of LastPass, which was bought by LogMeIn last year in deal potentially worth up to £81 million. In June 2015, the LastPass suffered a major data breach, forcing it to prompt all users to change their master passwords. Third party credentials were not affected.
LastPass directed TechWeekEurope to an FAQ page detailing how it had taken steps to limiting the potential for a phishing attack. These include warnings and additional verification, but the company said browsers should provide better protection.
“A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack,” it said. “LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM.”
Are you a security pro? Try our quiz!