LostPass attack reveals LastPass 2FA phishing weakness


LastPass has, over the weekend of 16-17 January 2016, been back in the news courtesy of yet another weakness courtesy of the LostPass attack.

Nothing has been compromised, apart from maybe the good name of LastPass as every potential weak spot that is shown to be exploitable whittles away at user trust in the product.

A security researcher has shown how the LostPass attack could bypass LastPass logins even with 2FA enabled.

Passwords suck. Consumer and small business password vaults and management tools make them a lot less sucky. Until your password manager gets compromised and then we move firmly into ‘elephants through a straw’ sucking territory.

LastPass is probably the best known and largest of the password managers out there. Recently acquired by LogMeIn for $125 million, leading to no small amount of user hostility in the usual social media circles, LastPass knows all about the compromise risk.

The bottom line being that the most secure password is the one that remains in your head, and in your head alone. Until you forget it, then it moves to your arse where it becomes a firmly lodged pain

Indeed, when LastPass fessed up that “account email addresses, password reminders, server per user salts, and authentication hashes were compromised” back in June 2015, it was a big deal.

Despite there being “no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed” it was inevitable that the whole ‘passwords in the cloud’ insecurity debate would awaken as a result.

And, oh boy, did it. The bottom line being that the most secure password is the one that remains in your head, and in your head alone. Until you forget it, then it moves to your arse where it becomes a firmly lodged pain.

Which is why we use password managers in the first place. Unless you are some kind of autistic savant with an incredibly enhanced memory, there’s no way you will remember 118 complex and unique strings. 118 is, according to recent analysis, the average number of online accounts per person in the UK. For our American readers the average jumps up to 130.

Going back to that bottom line, the second most secure way of dealing with the password problem is to keep them in a local encrypted password vault database. Better still, keep that database on an encrypted USB memory stick. That way only the person in possession of the stick, the decryption code for the stick and the decryption code for the database can get access.

Such a solution exists in the form of KeePass for the password vault piece of the puzzle, and VeraCrypt for the USB container encryption piece if you don’t have the luxury of a device with hardware encryption.

So why isn’t everyone using this solution then? Simples: it’s not all that convenient. Yep, once again it’s that age old battle between ease of use and hardening of security posture. For most people, the balance quickly tips in favour of convenience when every site and service requires a lengthy and complex password to be considered reasonably secure these days.

And that means you either fire up your USB-based database and copy the password across, character by increasingly tedious character, or you take the easier but inherently riskier option of using a cloud-based service. The cloud-based service lets you sync your password vault across devices and that, if you’ll excuse the pun, is the key.

Whether you are accessing a service on your smartphone, tablet, laptop or desktop machine you will always have the right login to hand. Not only is this an ease of use issue, but it also provides an instant backup bonus. Your laptop barfs, you still have access to your vault on your smartphone and vice versa.

Sure, you could keep a second copy of your USB-based encrypted local solution as a backup (and I would recommend you do, keeping it locked away safely), but that doesn’t provide instant ointment. It also weakens the security strength of the solution by adding a secondary risk factor, in the extra device that could be attacked if discovered.

So password managers are here to stay, of that I suspect there is little doubt. Unfortunately, that means they will remain a very lucrative target for the bad guys. Keys to the castle, and all that.

In the LostPass case it was security researcher Sean Cassidy who demonstrated how a cleverly crafted phishing attack could leave LastPass accounts wide open, even if they had Two Factor Authentication (2FA) enabled.

In his ‘LostPass’ presentation to the ShmooCon hacker conference in Washington D.C. over the weekend, Cassidy revealed how the LostPass attack works because “LastPass displays messages in the browser that attackers can fake.”

The full LostPass code is available via Github for anyone who wants to take a look. However, in what Cassidy calls a ‘pixel-perfect phishing’ attack, LostPass exploits the user expectation of session expired ‘log in again’ notifications displayed in the browser viewport.

Thing is, an attacker could draw the notification instead of LastPass and the user would be none the wiser. “The LastPass login screen and two-factor prompt are drawn in the viewport as well,” Cassidy explains.

OK, like all phishing attacks it does require a fair degree of user interaction including visiting a malicious site. However, it then just takes the lostpass.js to be deployed, which checks for the LastPass plug-in being installed and if found displays the fake, but pixel perfect, login expired notification while at the same time logging the user out of LastPass with a logout Cross-Site Request Forgery (CSRF).

LastPass has a good record of being open about potential compromises, and responding quickly as a rule. The LostPass situation is no different, and we applaud them for it.

The user is then directed to the attacker-controlled login page, and the damage is done. Even if when calling the LastPass API it discovers that 2FA is required, LostPass can simply redirect them to a fake 2FA prompt to capture the required information.

What makes this even more concerning, and exploits another ‘ease of use’ feature just introduced to LastPass in the form of an emergency contact, is that LostPass can add the attacking server as a trusted device for a good degree of attack persistence.

Cassidy warns that the attack works best “against the Chrome browser because they use an HTML login page,” whereas Firefox pops up a window for its login page, “so it looks like whatever operating system you’re on.”

LastPass itself has responded quickly with a statement that says it has introduced prevention that stops a malicious page from actually logging the user out of LastPass. “Even though the malicious page shows a fake LastPass notification saying the user has been logged out and needs to login again,” LastPass insists, “the user can see that the LastPass extension itself in their browser toolbar is still logged in.”

Of course, the user may not spot that and may well click on the fake notification to login again, what then? “LastPass will detect if the user enters their master password on a non-LastPass page and pops a strong warning,” we are told, “even before the user submits it to the page.”

This means that the user should be aware, immediately, that their master password may have been compromised and have the opportunity to change it. Unless the attacker suppresses that warning, as suggested by Cassidy in his presentation.

LastPass states that, despite what Cassidy says, if a user enters their master password and two-factor data, the attacker would be unable to gain access to the account without also completing the email verification steps. “This requires access to the user’s email address (or security email address, if enabled for their LastPass account) to approve the new location or device.”

It does seem that, as LastPass says, the email verification process reduces the threat of the LostPass attack. It’s perhaps most dangerous if the attacker also has access to a compromised email account. This isn’t beyond the realms of possibility, of course, but the attack risk factor is diluted somewhat it would seem.

LastPass has a good record of being open about potential compromises, and responding quickly as a rule. The LostPass situation is no different, and we applaud them for it. As from now it’s the default to have email verification switched on when logging in from unknown devices or locations, even for those users with 2FA enabled.

LastPass says it is “working to release additional notification options that bypass the viewport and therefore eliminate the risk that it presents in phishing attacks.” All we need now is for it to work a bit harder.