Researcher shows targeted phishing attack on LastPass

By admin On Jan 18, 2016

Spread the love

Researcher Sean Cassidy has revealed that password manager LastPass is vulnerable to a phishing attack. As a result, an attacker could gain possession of the password, email address, and two-factor authentication code. The company has already taken action.

The attack, which is now on GitHub, works by showing a user a login window, which is not from LastPass itself. According to Cassidy, this screen would be indistinguishable from the real thing, because it corresponds pixel by pixel to the LastPass login page. To perform the attack, it is first necessary to lure a user to a malicious site. If the user has installed the password manager, they will then see a notification indicating that they have been logged out.

Any website could log users out because LastPass is vulnerable to cross-site request forgery. If the user then clicks on the fake notification, he will be redirected to a malicious login page. This is identical to the LastPass login page. In order not to arouse suspicion, Cassidy has registered the domain chrome-extension.pw, because it is very similar to the url that opens when you log in to LastPass. After that, the user fills in their credentials and the malicious page checks via the LastPass API for two-factor authentication. If this is the case, a message is displayed that the password is incorrect and that the two-step authentication code must be entered. Now that the user has completed all of this, the attacker has access to the entire password vault.

LastPass has since responded to the attack by taking several measures. For example, it is no longer possible for malicious websites to log out a user and they will now see a warning if the master password is entered on a site that does not belong to LastPass itself. Cassidy says the company initially assumed the problem stemmed from the csrf vulnerability and that users should be better “trained” on identifying windows by checking the URL, for example. He disagrees, because there is virtually no difference between a real page and a fake page.

According to Cassidy, the measure to show a warning does not help, because an attacker can control what is shown in the browser window. He adds that operating systems can also play a role in improving the display of login windows. LastPass itself claims that Google itself could make improvements to Chrome, allowing extensions to show notifications outside the DOM.

The malicious login page with .pw url

The real login page