LastPass Password Manager – renowned for being a secure vault for user’s passwords, has recently demonstrated vulnerabilities that could expose many users’ accounts.
A phishing technique can easily and literally do the trick: a little more than a combination between software flaws and social engineering. Security researcher Sean Cassidy, who developed the phishing attack, claims that a simple email could potentially bypass strong security measures in place, such as the two-factor authentication.
According to Cassidy, users can be tricked into submitting their LastPass master password and even their second-factor authentication code using lookalikes pop-up notifications in the browser.
The victim visits a malicious site that runs javascript code. The code visualizes a browser notification informing the user that has been logged out of its LastPass account. The notification is no different from those found on LastPass website and instructs users to enter their master password and – if that’s the case – the two-factor authentication code. The data can then be retrieved by the hacker who therefore has access to all the users’ passwords in the vault.
Cassidy explained how LastPass is vulnerable to a cross-site request forgery, that is, any website is able to send a logout notification to the application. Cassidy also underlined how the use of a browser-based password manager, such as LastPass, that stores users’ passwords in the cloud is actually more dangerous than using even a simpler application that stores data on users’ local devices. Another vulnerability could be the encrypted backup of one’s password vault on the application’s server that LastPass recommends to its users: if, on one hand, this is convenient, on the other hand, it gives whoever possesses login credentials the access to a copy of the password file.
Cassidy reported the issue back in November and LastPass confirmed it worked with him to fix it. The company though tweaked the claim that there was a vulnerability in LastPass and stressed the fact that it was a phishing attack. The company then released an update to prevent users to be logged out and actually improved security measures so that you would be notified in case you’ve entered your master password into a non-LastPass form.
Cassidy disputes that this type of security alert that comes from LastPass itself could be detected by an hacker-controlled website and then stopped in order to render it useless. He also stresses how a phishing attack cannot be treated differently from a remote code execution vulnerability.
Means are different but the ends are the same in the majority of the cases: stealing people’s data. Therefore, a stronger focus should be put on defending users’ data at all costs.