New research, which revealed that a simple phishing attack can compromise the popular LastPass password manager, was presented by security researcher Sean Cassidy at hacker convention ShmooCon on Saturday.
According to Cassidy, hackers can fake the notifications that are displayed by LastPass 4.0 in the user's browser window to trick them into revealing their log-in credentials, and can even snatch one-time passcodes.
Cassidy, the CTO of online security firm Praesidio, uploaded a tool on GitHub named LostPass, which shows how attackers can spoof the alerts of LastPass, with the goal of acquiring the username and password of a target.
Cassidy discussed LostPass and the methodology of the attack in a blog post, describing how LastPass alerts users if they are logged out of the password manager. The alert, however, is displayed through the viewport of the Internet browser, and the same alert can be created and then triggered by an attacker if a user is able to be directed to a malicious website.
Once a user with LastPass visits a malicious website where LostPass is deployed, the attacker can log the user out of LastPass and then display a banner that leads to a fake log-in page for the password manager. Victims will then unknowingly enter their credentials and send them to the server of the attacker, who will check if the username and password are correct by calling the API of LastPass.
For users that have two-factor authentication activated, they can be redirected to a two-factor prompt so that the attacker can also acquire the two-factor token. Once the attacker has this and the target's username and password, all of the user's other information can be retrieved through the LastPass API. The attacker can also practically do anything they want, such as create a backdoor in the LastPass account through the emergency contact feature, turn off two-factor authentication, add the server of the attacker as a trusted device, and many more.
Cassidy noted that many of the responses to phishing is to train the users, as if it was their fault that they were attacked. Such training would not prove to be effective in fighting against tools such as LostPass as there is little or no difference at all in what the users see.
Cassidy has told LastPass of the problem, and the company has stated in a blog post that it has carried out improvements to make it harder for attackers to pull off such tricks.
LastPass said that through the extension of the password manager on the browser, users can see that they are still logged in despite the browser saying that they have been logged out. LastPass will also now notify users that they have entered their master password on a page outside of LastPass before submitting the said page.
LastPass will also be implementing email verification steps that would require access to the email address of the user in the case of a log-in from an unknown device or location. In addition, users with two-factor authentication will also now be required to undergo a verification process that was previously allowed to be skipped.
In addition, warnings will now be issued for the reuse of the user's master password on other websites, and notifications by LastPass are now being worked on by developers to bypass the viewport of browsers to eliminate the chance of being compromised by phishing attacks.