A security flaw affecting password manager LastPass could allow an attacker to steal user credentials, emails and passwords, and even access two-factor authentication codes, research has revealed.
The flaw was exposed by Sean Cassidy, chief technical officer at cloud security firm Praesidio, who has dubbed it ‘LostPass’. It is an easy-to-execute phishing attack that can display malicious messages in the browser that attempt to gather sensitive credentials.
“LostPass works because LastPass displays messages in the browser that attackers can fake. Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and log-in screen,” said Cassidy in a blog post.
Once the victim clicks on a fake banner they can be redirected to a malicious log-in page that exactly mirrors the official version. From this point, unknown to the user, the page will scoop up the username and password and send the details to the attacker’s server.
What’s worse, two-factor authentication makes this attack “significantly easier”, the researcher warned.
“By default, LastPass sends an email confirmation when a new IP address attempts to log-in to LastPass. This should stop the attack almost entirely, but it doesn’t. According to LastPass’s documentation, the confirmation email is only sent if you don’t have two-factor authentication enabled,” he said.
The vulnerability works best against the Chrome browser because it uses an HTML log-in page.
Cassidy informed LastPass of the problem in November. The firm acknowledged the bug in December, yet Cassidy remains certain that the flaw remains.
“This has been a long and confusing issue. At first LastPass understood this bug to be mainly be a result of the log-out CSRF. Then they suggested it wouldn’t work because of the email confirmation step. The GM of LastPass said that LastPass, ‘can confirm this is a phishing attack, not a vulnerability in LastPass’. I obviously disagree,” he said.
“We as an industry do not respond to phishing attacks well. I do not blame LastPass for this. They are like everyone else. We need to take a long look at phishing and figure out what to do about it. In my view, it’s just as bad, if not worse, than many remote code execution vulnerabilities, and should be treated as such.”
Cassidy has published the source code for the bug on GitHub.