A phishing attack against password vault LastPass can allow an attacker to steal a user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.
According to research by Sean Cassidy, a software engineer whose day job is CTO at Praesidio, the ‘LostPass’ attack works because LastPass displays messages in the browser that attackers can fake.
He also said that as LostPass phishes for the two-factor auth code, it bypasses the email confirmation step.
“Users can't tell the difference between a fake LostPass message and the real thing because there is no difference,” he says. “It's pixel-for-pixel the same notification and login screen.”
He explained that as LastPass trained users to expect notifications in the browser viewport, they would be none the wiser to these messages. “Since LastPass has an API that can be accessed remotely, an attack materialized in my mind,” he says.
The attack works by the victim going to a malicious website that looks benign, or a real website that is vulnerable to XSS. If a user has LastPass installed, LastPass is vulnerable to a logout CSRF, so any website can log any user out of LastPass. This will make it appear to the user that they are truly logged out.
Once the victim clicks on the fake banner, they can be directed to an attacker-controlled login page that looks identical to the LastPass one. This is the login page for Chrome where the victim will enter their password and send the credentials to the attacker's server.
Cassidy said that the attack works best against the Chrome browser because it uses an HTML login page. Firefox actually pops up a window for its login page, so it looks like whatever operating system you're on.
LastPass acknowledged the bug in December. It implemented a fix with a warning message in the browser viewport, like all of their messages. He says: “On an attacker-controlled website, it is trivial to detect when this notification is added. Then the attacker can do whatever. In LostPass, I suppress the notification and fire off a request to an attacker server to log the master password.
“We need to take a long look at phishing and figure out what to do about it. In my view, it's just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such.”