Users of LastPass are vulnerable to a phishing attack that requires preventive measures. Sean Cassidy, CTO at Praesidio, a cloud cyber security startup, detected that attackers can steal a user’s password, email and two-factor authentication code, which make all the user’s documents and passwords vulnerable. He described the vulnerability and suggested protection measures on his website. He also discussed LastPass at ShmooCon 2016, a hacker convention.
The attack, which Cassidy references as LostPass, displays messages in the browser that an attacker can fake. The user cannot distinguish between the fake LostPass message and the real message since the fake one looks the same as the real one. The notification and login screen are the same, pixel-for-pixel.
The attack method Cassidy describes works in Google Chrome and to a degree in Firefox. In Google Chrome, fake messages look the same as the LastPass extension messages. Such is not the case with Firefox.
Cassidy related an incident a few months ago when LastPass showed a message on his browser saying a session had expired, and he needed to log in again. He had not used LastPass for a few hours and had done nothing to cause him to log out. When he clicked the notification, it displayed a message in the browser viewport that he realized an attacker could have drawn. Any malicious website could have drawn the notification.
As LastPass trained users to expect notices in the browser viewport, users would not have a reason for concern. The login screen and two-factor prompt also get drawn in the viewport.
Because LastPass has an API that can be remotely accessed, Cassidy envisioned an attack.
How It Works
The LostPass steps are as follows.
The attacker gets the victim to go to a malicious website that appears to be benign or a real website that is vulnerable to XSS (cross-site scripting). Once at the website, the attacker deploys lostpass.js. The user will not be alarmed since this is not intended to be a secure website. It could even be an image or a funny video.
If the user has installed LastPass, the attacker shows the login expiration and logs the user out of LastPass. This action makes it look like the user has logged out.
When the user clicks on the false banner, the attacker directs them to an attacker-controlled login page that appears identical the LastPass login page.
The “chome-extenson.pw” domain looks like the Chrome protocol for “chrome-extension.” There is an open issue in Chromium that addresses this.
Next, the victim enters their password and sends credentials to the attacker’s server, which checks to see if the credentials are correct by calling LastPass’s API. The API advises if two-factor authentication is needed.
Should the password and username be incorrect, the attacker redirects the user back to the malicious website. This time, the LostPass notification bar will say “Invalid Password.”
Should the user have a two-factor notification, the attacker redirects them to a two-factor prompt.
When the attacker gets the correct username and password (including the two-factor token), the attacker downloads the victim’s information from the LastPass API. The attacker can install a backdoor in the user’s account using the emergency contact feature, disabling two-factor authentication and adding the attacker’s server as a trusted device.
The steps described parallel the path LastPass follows when a user logs out remotely.
Why It’s So Effective
Training is not effective in fighting this as there is not much difference between the real and fake versions in what the user sees.
The LastPass login workflow is buggy and complex. It sometimes displays in-viewport login pages, and it sometimes displays them as popup windows.
LastPass is easy to detect, and it was even easier to locate the exact CSS and HTML LastPass uses to display login pages and notifications.
Best Browsers And OSs
The attack works best on the Chrome browser since it uses an HTML login page. Firefox pops up a window for login, so it appears as whatever operating system the user is on.
Cassidy has experimental support for Firefox on Windows 8 and OS X in LostPass, but it is not enabled by default.
He developed it specifically to work against LastPass 4.0 and did not include any version detection information.
To safeguard against attacks, Cassidy recommends the following steps for individuals and companies, not in any particular order.
• Ignore browser window notifications.
• Enable IP restrictions, which are only available to paid plans.
• Disable mobile login, keeping in mind other attacks can use non-mobile API.
• Log all failures and logins.
• Advise employees of the potential attack.
Two-factor authentication does not help; instead, it makes the attack easier.
LastPass, by default, sends an email confirmation when a new IP address tries to log in. While this should completely halt the attack, it does not. LastPass documentation indicates the confirmation email only gets sent if the user doesn’t have two-factor authentication enabled.
Because LostPass phishes for a two-factor authentication code, it bypasses the email confirmation step.
The LostPass can be made more effective in instances where it gets blocked by a confirmation email (i.e., “Please confirm your login email to continue”), but the attack already has sufficient strength.
Have You Been Attacked?
To determine if you’ve been attacked, a user can view their “LastPass Account History” to view all login attempts and the corresponding IP addresses.
There are alternatives to LastPass, but Cassidy has not researched them to guarantee their safety.
He recommends the following user considerations:
• Browser extensions have a greater risk than native applications.
• An API makes it easier for attackers to steal a lot of data.
• Store only frequently-used and low-risk data in a password manager.
An attack called “Even the LastPast Will be Stole, Deal with It” published by Garcia and Vigo presented a client-side attack relying on bad design choices LastPass made which make it susceptible to compromised machines.
Cassidy’s work addresses LastPass from a different perspective. One does not require access to a LastPass user’s machine; the attacker tricks the user into providing their credentials.
Why He Developed It
In discussing why he developed the attack, Cassidy said the security industry is naïve about phishing, which is the most common attack vector.
Better user training will not solve the problem. What’s needed is software designed to be phishing resistant. Security evaluations should include the ease of phishing software.
Cassidy said he is publishing this tool so companies can make informed decisions about the attack and how to best respond.
Because the vulnerability is hard to fix and easy to exploit, Cassidy believes it is appropriate to release a tool.
He informed LastPass in November, and they acknowledged the problem in December.
LastPass first understood the problem to mainly be a result of the CSRF (cross-site request forgery) logout. They suggested it would not work due to the email confirmation step. A spokesperson said LastPass can confirm the bug is a phishing attack, but not a vulnerability, a position Cassidy disputes.
One fix LastPass implemented was to warn users when they type in their master password into some website. The problem with this is they display a warning message in the browser viewport like all their other messages. If the website is attacker-controlled, detecting when this notification is added is trivial.
Cassidy suppresses the notification in LostPass and sends a request to an attacker server to log the master password.
He does not blame LastPass for the fact that the industry does not respond well to phishing attacks.
A Warning To The Industry
Cassidy said it is important to inform users about security concerns in the products they use. Security researchers too often kowtow to corporations in not informing users about vulnerabilities for which they should be aware.
Operating systems and browsers can address this class of bugs. To spoof the “chrome extension” protocol, Cassidy purchased the domain “chrome-extension.pw,” which appears similar. Connecting to this domain over HTTP makes it appear similar to the built-in protocol. An open issue in Chromium addresses this. Below is an image of LastPass and LostPass, side-by-side, for Firefox on Windows 8.
Firefox is harder to spoof. Cassidy had to manually draw each OS’s native widget using CSS and HTML. These are not perfect, but close enough.
Because the browser viewport can illustrate anything with pixels, consideration must be given to how to authenticate native windows visually.
The code is available on GitHub.