LostPass: A phishing attack against LastPass

Security researcher Sean Cassidy has discovered a LastPass phishing attack, which would allow an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.

The attack is conducted thanks to a simple LastPass feature – browser notification.

lastpass_notification

 

 

 

 

 

Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and login screen.

Since the notification is displayed in browser viewport attacker can display a fake notification which looks exactly like LastPass’s original.

How does the attack work?

A victim visits a malicious website or a real website vulnerable to XSS. An attacker deploys a script lostpass.js from Github. The script will check if users have LastPass installed and will pop-up a login expired notification asking users to re-login. LastPass has a Cross-site Request Forgery (CSRF) vulnerability allowing any website to log users out of the extension.

After the notification is clicked users are transferred to a well-known LastPass login page

lostpass_login

 

 

 

 

 

 

 

After victim enters credentials, an attacker will use LastPass API to check the validity of entered information via his own servers. In case if entered username and password are not correct, attacker will redirect the user back to the website and will display an Invalid Password notification.

If user has a two-factor authentication enabled, they will be redirected to the two-factor authentication page:

lostpass_2fa

 

 

 

 

 

 

 

 

Once the attacker has the correct username and password (and two-factor token), download all of the victim’s information from the LastPass API. Attacker can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker’s server as a “trusted device” and much more.

Sean Cassidy published this information on his page.

 

 

 

One Response

  1. StevenR Parks February 6, 2016

Leave a Reply