A security researcher has developed a phishing attack against the LastPass password manager app that is virtually impossible to detect and has the ability to mimic the LastPass login sequence perfectly.
The technique takes advantage of several weaknesses in the way that LastPass handles user logout notifications and the resulting authentication sequence. Sean Cassidy, the CTO of Seattle-based Praesidio, developed the attack and has released code for the technique, which he calls LostPass. In essence, the technique allows an attacker to copy much of the login sequence for a LastPass user, including the use of identical login dialogs and the ability to capture and replay two-factor authentication codes.
Cassidy discovered the technique after becoming suspicious when he received a message in Chrome telling him that his LastPass session had expired and he needed to log back in.
“When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification,” Cassidy said in a blog post explaining LostPass.
“Any malicious website could have drawn that notification. Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well.”
They should either move their login page to HTTPS EV or only display it in a pop-up window.
In order for LostPass to work, an attacker needs to get a victim to visit a malicious site where the LostPass code is deployed. The code will check to see if the victim has LastPass installed, and if so, use a CSRF (cross-site request forgery) weakness in LastPass to force the victim to log out of the app. The attacker using LostPass then will show the victim the notification telling her she’s logged out and when she clicks on it, will bring her to the login page the attacker controls. It will look identical to the authentic one.
Once the victim enters her credentials, they are sent to the attacker’s server, who can use the LastPass API to check their authenticity. If the server says that 2FA is set up on the victim’s account, LostPass will display a screen to enter the 2FA code, which the attacker will capture and use to log in to the victim’s account.
“Once the attacker has the correct username and password (and two-factor token), download all of the victim’s information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker’s server as a “trusted device”. Anything we want, really,” Cassidy wrote.
The attack has serious implications for LastPass users, who have been trained to respond to notifications from the app in the browser window. Cassidy disclosed the LostPass attack to LastPass in November and said the company didn’t respond until December. He spoke about the technique at the ShmooCon security conference last weekend and since then LastPass has begun requiring email confirmation for any new logins.
However, Cassidy said that doesn’t fix the problem, but just mitigates it. A better solution, he said, would be to stop showing user notifications in the main part of the browser window.
“They should not show notifications in the viewport (the part of the browser where the content is shown). They should either move their login page to HTTPS EV or only display it in a pop-up window like they sometimes do in Chrome,” Cassidy said by email.
He said hat LastPass has now disputed whether Cassidy contacted them in November, even though Cassidy sent proof of the email contact.
“And to imply that I withheld information for my talk is just ridiculous. I told them everything that was going to be in there in advance,” Cassidy said by email.
Image from Flickr stream of Christiaan Colen.