‘LostPass’ Phishing Scam Can Steal LastPass Credentials

A security researcher has cast doubt on the security of password-management website LastPass by claiming he has discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.

‘LostPass’, as CTO for Praesidio Sean Cassidy describes it, works by mimicking the ‘session expired’ notifications served up by LastPass in a user’s browser. He argued that users are trained to accept these notifications and normal and therefore their guard might be down when visiting a website.

LostPass method

“LostPass works because LastPass displays messages in the browser that attackers can fake,” he said. “Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and login screen.”

“Any malicious website could have drawn [such a] notification,” he said. “Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well.

“Since LastPass has an API that can be accessed remotely, an attack materialised in my mind.”

Cassidy’s method involves getting a victim to visit a malicious website that appears genuine, or a real website susceptible to cross-site scripting (XSS), and detect whether the visitor is running LastPass. If they are, a fake notification is issued to make it appear as though the user has genuinely been logged out.

Let’s go phishing

If clicked, the user is sent to a fake log-in page, where they are prompted to enter their credentials. These credentials are sent to the attacker’s server and verified by using the LastPass API. If the details are incorrect, users might even be sent a two-factor authentication prompt.

“Once the attacker has the correct username and password (and two-factor token), download all of the victim’s information from the LastPass API,” continued Cassidy. “We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker’s server as a ‘trusted device’. Anything we want, really.”

Cassidy defended the decision to publish his method on Github, arguing that LastPass users would benefit. He said he notified LastPass in November, and had not been satisfied by their response.

“We as an industry do not respond to phishing attacks well,” said Cassidy. “I do not blame LastPass for this, they are like everyone else. We need to take a long look at phishing and figure out what to do about it. In my view, it’s just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such.”

LastPass security

The discovery raises fresh concerns about the security of LastPass, which was bought by LogMeIn last year in deal potentially worth up to £81 million. In June 2015, the LastPass suffered a major data breach, forcing it to prompt all users to change their master passwords. Third party credentials were not affected.

LastPass directed TechWeekEurope to an FAQ page detailing how it had taken steps to limiting the potential for a phishing attack. These include warnings and additional verification, but the company said browsers should provide better protection.

“A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack,” it said. “LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM.”

Are you a security pro? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago