Anyone could pull off a LostPass phishing attack to get all your LastPass passwords

"LostPass: Pixel-perfect LastPass Phishing" was presented at ShmooCon 2016; it's easy for anyone to become an attacker, using the released LostPass code, and pull off a phishing attack to get all your passwords.

LostPass phishing attack on LastPass
Credit: Sean Cassidy

Heads-up if you use LastPass as a security research released LostPass code on GitHub that bad guys could jump on immediately and an attack could be in the wild even now. In essence, if you use LastPass then you could be tricked into handing over the keys – or master password – to your digital kingdom.

The LostPass attack works best in Chrome, but if you think you could spot the phishing then think again; Sean Cassidy, CTO of cloud-based cybersecurity firm Praesidio, warned that a user would not be able to tell a difference between a LastPass message displayed in the browser and the fake LostPass message since “it’s pixel-for-pixel the same notification and login screen.”

It’s not rocket science to be an attacker and exploit LastPass; in fact, in the write-up about his ShmooCon 2016 LostPass: Pixel-perfect LastPass Phishing presentation, Cassidy wrote that the “attack requires no sophisticated knowledge. A simple right-click will get you the HTML. A tiny bit of JavaScript will glue the pieces together. As soon as I published details of this attack, criminals could make their own version in less than a day.”

LostPass attack on LastPass

LostPass was designed specifically to work against LastPass 4.0. The LostPass attack could work if a victim were to surf to a malicious site or a site that is vulnerable to cross-site scripting (XSS). The attack works best when the victim is using Chrome as notifications are shown in the browser viewport; although it’s harder to spoof in Firefox, which uses a pop-up window for its login page, it’s not impossible.

Cassidy noted that it is easy to detect if a person is using LastPass and it is “even easier to find the exact HTML and CSS that LastPass uses to show notifications and login pages.” So an attacker can determine if LastPass is installed and show a “Your LastPass session appears to have expired. Please re-login.”

Since LastPass is vulnerable to a logout cross-site request forgery (CSRF), any site can log a user out of LastPass. To a victim, it will appear as if she logged out. As soon as the user clicks on the fake session-expired banner, an attacker could direct the victim to an attacker-controlled login page. Cassidy explained, “The victim will enter their password and send the credentials to the attacker's server. The attacker's server will check if the credentials are correct by calling LastPass's API. The API will inform us if two-factor authentication is required.”

LostPass even phishes for the two-factor authentication code “so 2FA is no help.” If the victim is using 2FA, Cassidy says it makes it even easier for the attacker. That’s because LastPass sends an email confirmation by default when a new IP address attempts to login…except when it doesn’t. “According to LastPass's documentation,” wrote Cassidy, “the confirmation email is only sent if you don't have two-factor authentication enabled.”

He added:

Once the attacker has the correct username and password (and two-factor token), download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a “trusted device”. Anything we want, really.

Cassidy disclosed the bug to LastPass in November and it was acknowledged in December. To LastPass, this is not a vulnerability but a phishing attack; it believed it even had this type of attack covered, since a user would receive an email notification of any new IP address attempting to login. The company did release an update which patched the CSRF vulnerability in Chrome. Additionally, LastPass will flash a warning message if you enter your master password into a form that is not associated with LastPass. However, Cassidy said an attacker can suppress the notification.

The security industry doesn’t take phishing seriously enough, Cassidy believes, as “Phishing is the most dominant attack vector and is used by everyone from run-of-the-mill cryptolocker types to APTs (advanced persistent threats).”

He advised users to keep tabs on their LastPass Account History in order to check for unfamiliar IP addresses that attempt login. He also suggested for users to ignore notifications in the browser window, disable mobile login, enable IP restriction and inform people about the attack.

Cybersecurity market research: Top 15 statistics for 2017