A security researcher has cast doubt on the security of password-management website LastPass by claiming he has discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.
‘LostPass’, as CTO for Praesidio Sean Cassidy describes it, works by mimicking the ‘session expired’ notifications served up by LastPass in a user’s browser. He argued that users are trained to accept these notifications and normal and therefore their guard might be down when visiting a website.
“Any malicious website could have drawn [such a] notification,” he said. “Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well.
“Since LastPass has an API that can be accessed remotely, an attack materialised in my mind.”
Cassidy’s method involves getting a victim to visit a malicious website that appears genuine, or a real website susceptible to cross-site scripting (XSS), and detect whether the visitor is running LastPass. If they are, a fake notification is issued to make it appear as though the user has genuinely been logged out.
If clicked, the user is sent to a fake log-in page, where they are prompted to enter their credentials. These credentials are sent to the attacker’s server and verified by using the LastPass API. If the details are incorrect, users might even be sent a two-factor authentication prompt.
Cassidy defended the decision to publish his method on Github, arguing that LastPass users would benefit. He said he notified LastPass in November, and had not been satisfied by their response.
“We as an industry do not respond to phishing attacks well,” said Cassidy. “I do not blame LastPass for this, they are like everyone else. We need to take a long look at phishing and figure out what to do about it. In my view, it’s just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such.”
The discovery raises fresh concerns about the security of LastPass, which was bought by LogMeIn last year in deal potentially worth up to £81 million. In June 2015, the LastPass suffered a major data breach, forcing it to prompt all users to change their master passwords. Third party credentials were not affected.
LastPass directed TechWeekEurope to an FAQ page detailing how it had taken steps to limiting the potential for a phishing attack. These include warnings and additional verification, but the company said browsers should provide better protection.
“A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack,” it said. “LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM.”
Are you a security pro? Try our quiz!
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…