LastPass Phishing Attack Lets Hackers Get All Your Passwords

Be careful what you click.

Password managers are great, and using one on a daily basis is probably the number one thing you can do to lessen your chances of getting seriously owned. But that doesn't mean they're perfect, and small software flaws combined with good old-fashioned social engineering can go a long way.

Case in point: Using a new phishing attack developed by security researcher Sean Cassidy, attackers could gain access to all passwords stored by a user of LastPass, including accounts protected by strong security measures like two-factor authentication—if users aren't careful about what they click.

During a presentation on Saturday at the ShmooCon hacker conference in Washington, D.C., Cassidy demonstrated how users can be fooled into submitting both their LastPass master password and their 2nd-factor authentication code to a malicious server using bogus pop-up notifications in the browser.

It works by first having the victim visit a malicious site, which runs javascript code that generates a browser notification telling them they've been logged out of LastPass. The message is identical to the one displayed by LastPass, and directs victims to a fake LastPass login screen. This prompts the user to enter their master password and (if it is enabled) their 2-factor authentication code, then transmits them to a web server controlled by the attacker. The attacker can then access LastPass' API and use those credentials to download and decrypt the user's entire password vault.

Cassidy says this is possible partly because LastPass is vulnerable to a cross-site request forgery, meaning any site can send the application a logout notification.

The attack also demonstrates how using a browser-based password manager that stores your passwords in the cloud can be much riskier than using one that keeps the master file on your local devices. Unlike other options like 1Password and KeePass, LastPass strongly encourages users to keep an encrypted backup of their password vault on its servers. This is better for convenience when keeping in sync with multiple devices, but it also means anyone with access to your LastPass login credentials can get a copy of your password file.

"You don't [need to] have access to a LastPass user's machine," writes Cassidy in a blog post explaining the attack. "Instead, you trick the user into giving you their credentials."

In an email sent to Motherboard, a LastPass representative confirmed the company worked with Cassidy to fix the issue after he reported it in November. But the company also dismissed the vulnerability as "a phishing attack, not a vulnerability in LastPass." The company says it has released an update that prevents users from being logged out by Cassidy's phishing tool, and also implemented "a built-in security alert to let you know when you've entered your master password into a non-LastPass web form."

Cassidy disagrees that this puts the matter to rest. Since the security alert is sent through the browser's viewport, just like the logout message, an attacker-controlled website could easily detect when LastPass sends the alert and suppress it, he says.

"We as an industry do not respond to phishing attacks well," he writes. "In my view, it's just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such."

UPDATE, 01/18/2016, 11:14 am ET: LastPass has responded with a blog post detailing more changes it has made to defend against phishing attacks like Cassidy's. This notably includes sending verification emails whenever an account is logged into from an unrecognized location, even when 2-factor authentication is enabled. This would prevent an attacker who tricked a user into submitting their LastPass login credentials from being able to obtain their password file, unless the attacker also had access to their email.

In an email sent to Motherboard, Cassidy says that the email confirmation step "mitigates most of the danger." But he also warns that the practice of sending notifications in the browser's viewport still makes it possible for users to be easily tricked.

"I still want them to stop putting notifications in the viewport, but they've been reluctant to do so," says Cassidy. "One of their other mitigations, telling you that you've typed in your master password into a field, actually resulted in another bug because they put the notification in the viewport."

Additional reporting by Lorenzo Franceschi-Bicchierai