Washington, D.C. - At ShmooCon on Saturday, Sean Cassidy, the CTO of Praesidio, demonstrated a clever attack against LastPass, which is possible thanks to a security trade off and easily spoofed UX elements.Cassidy\u2019s presentation at ShmooCon on Saturday morning outlined a clever Phishing attack against LastPass users, which is made possible due to design elements within the password manager\u2019s core functions.The attack, which doesn\u2019t require any special skill or circumstance to accomplish, enables an attacker to steal a LastPass customer\u2019s entire existence, as everything stored by the LastPass service is exposed.Cassidy discovered the flaw several months ago, after the LastPass software displayed an in-browser notification alerting him to an expired session and prompting him login again.This notification was displayed after he had followed a link inside an email he\u2019d recently received. The notification itself was displayed in the browser, leading Cassidy to suspect he\u2019d just been Phished.\u201cAny malicious website could have drawn that notification. Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well. Since LastPass has an API that can be accessed remotely, an attack materialized in my mind,\u201d Cassidy said.An attack against LastPass can leverage compromised websites, or websites vulnerable to Cross-Site Scripting (XSS), and because it uses the exact visual elements of the LastPass users are trained to recognize and understand, they\u2019re not going to be on alert or suspect an attack is taking place.LastPass was vulnerable to a CSRF that will log the user out, and enable an attacker to display a fake banner that prompts them to enter their credentials. The banner itself is an exact clone of the real one, and users are used to this visual cue, which means they wouldn\u2019t hesitate to do as it asks.Once the victim clicks on the banner, they\u2019re directed to a malicious page that looks identical to the normal LastPass login prompt, because it uses the actual design elements created by LastPass. Cassidy was able to obtain the proper visuals with cut and paste; he simply used view source on the webpages when the legitimate prompts were displayed.Once the login credentials are entered, the information is passed to the LastPass API and verified. If the account requires two-factor authentication, the attacker can direct the user to a second page that will offer an exact copy of the two-factor prompt. If the credentials are invalid, the user will be directed to the malicious page and the display banner will report the error as expected.\u201cOnce the attacker has the correct username and password (and two-factor token), download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a "trusted device". Anything we want, really," Cassidy wrote in a post-talk overview.LastPass had a measure that was supposed to stop attacks like this, as it would email the user with an alert any time a new IP address attempts to login. However, if the user has two-factor enabled, then the emailed warning isn\u2019t delivered, leaving the user unaware that anything has happened.\u201cI think that the security industry's view of Phishing is naive at best, negligent at worst. Phishing is the most dominant attack vector and is used by everyone from run-of-the-mill CryptoLocker types to APTs,\u201d Cassidy wrote.\u201cThe real solution is designing software to be Phishing resistant. Just like we have anti-exploitation techniques, we need anti-Phishing techniques built into more software. Software security evaluations should also include how easy it is to Phish said software.\u201dIn a statement to Salted Hash, Joe Siegrist, VP and GM of LastPass, said that the company worked with Cassidy and confirmed the issue was a Phishing attack and not a vulnerability in LastPass itself.He also said the company released an update that \u201cwill prevent a user from being logged out by the Phishing tool, thereby the mitigating the risk of the phishing attack. In addition, LastPass has a built-in security alert to let you know when you've entered your master password into a non-LastPass web form.\u201dThe good news is, the patch did fix many elements of the Phishing issue. But the bad news is, it didn\u2019t fix it completely. In fact, it made the issue worse on some levels.\u201cI was happy they acknowledged the issue, but I was disappointed that they said it wasn\u2019t a vulnerability in LastPass itself. I do think it\u2019s a vulnerability in LastPass. It leverages a vulnerability in Chrome, and it uses how Firefox does pop-up windows, but ultimately LastPass is responsible for the security of their users, and I feel they have to own it,\u201d Cassidy said in an interview after his talk.The patch fixed the CSRF vulnerability on Chrome, but it also implemented a feature that highlights when a user enters their master password, by generating the warning alert in the same window that the attacker can control.\u201cSo I actually can detect when [LastPass] puts that message in there, and now I know your master password. I don\u2019t even have to ask LastPass for it [via API], I know it now, because LastPass [via the alert] told me what it was.\u201dIf the attacker wishes to do so, the warning issued by LastPass can be suppressed, the master password recorded, and the user can be forwarded to a new domain, secondary form, or anywhere else. Since the warning was suppressed, they wouldn't know their master password was exposed.At the end of his talk on Saturday morning, Cassidy released LostPass - a tool that will demonstrate the attack and enable others to replicate it \u2013 on Github.