PiChris - Fotolia

'LostPass' phishing attack targets LastPass credentials

A new proof-of-concept attack presented at ShmooCon 2016 exploits security weaknesses in cloud-based password manager LastPass and could allow attackers to gain control of users' accounts.

Cloud-based password manager LastPass has addressed a newly-published attack that uses a simple phishing scheme to obtain users' credentials and gain complete control of their accounts.

The "LostPass" phishing attack was outlined by Sean Cassidy, CTO of cloud security startup Praesidio, at hacker conference ShmooCon in Washington, D.C. Saturday. In a blog post, Cassidy explained how he was able to recreate an exact replica of the LastPass login and notification pages. Using a simple phishing email attack, Cassidy showed how an attacker can direct users to a fake login page and obtain their passwords, email addresses and two-factor authentication codes, which would then give the attacker complete control of the cloud account.

"LostPass works because LastPass displays messages in the browser that attackers can fake," Cassidy wrote. "Users can't tell the difference between a fake LostPass message and the real thing because there is no difference."

Specifically, LastPass notifications are displayed in the browser viewport and are easy to reproduce, Cassidy claimed. Attackers can create a fake logout notification that appears in users' viewports once they visit the malicious link in the phishing email. Cassidy noted that the LostPass attack works best in Chrome, but that it's also possible to execute in Firefox.

"Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser," he wrote. "The LastPass login screen and two-factor prompt are drawn in the viewport as well."

As a result, Cassidy explained that LastPass is vulnerable to what's known as a logout cross-site request forgery (CSRF), meaning any website can log users out of their LastPass accounts. Once users click on the fake logout notification, the LostPass attack then sends users to an attacker-controlled login page that asks for users' credentials and two-factor code to log back in.

In addition, Cassidy pointed out that the LastPass API can be accessed remotely, the attacker's server can call that API, even if LastPass isn't installed on that system, and use the stolen credentials to log into victims' accounts, giving the attacker complete control of those accounts.

Cassidy suggested that LastPass users take several steps to mitigate the LostPass attack, including ignoring notifications in their browser, disabling mobile logins and enabling IP restrictions to prevent logins on unknown IP addresses. Since customer email addresses were exposed in a LastPass data breach in June, LastPass users may be especially vulnerable to phishing attacks.

We need to take a long look at phishing and figure out what to do about it. In my view, it's just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such.
Sean CassidyPraesidio CTO

Following Cassidy's LostPass presentation, LastPass addressed the issue and posted a statement on its website. "Although this is not a vulnerability in LastPass, we have outlined some steps below that will mitigate the risk of this and future phishing attacks," the company stated.

Those steps include adding a new security control that requires email verification for all LastPass users, even those with two-factor authentication enabled, when they attempt to login from unknown devices or locations. Previously, LastPass allowed users who had enabled two-factor authentication to bypass the email verification process because "they already had additional protection enabled for their account." But Cassidy pointed out in his blog post that in this case, two-factor authentication makes this attack "significantly easier."

In addition, LastPass said it would revisit its notification system. "Our team is working to release additional notification options that bypass the viewport and therefore eliminate the risk that it presents in phishing attacks," the company wrote in its statement.

LastPass also put Google on notice for its part in the LostPass attack. Specifically, LastPass said it has "encouraged Google for years to provide a way to avoid using the browser viewport for notifications," and that a "true solution" to the threat would be for Google to release infobars in Chrome allowing extensions to do notifications outside the DOM. "We hope that future improvements to the browser will help us go even further to protect users from these types of attacks," the company said.

LastPass said it asked Google to make this change in Chrome as far back as 2012, demonstrating that LastPass knew the viewport notifications in Chrome were problematic for years but continued using them rather than employing an alternative system or implementing additional security controls that would prevent a LostPass-like attack. In an email response to SearchSecurity, Joe Siegrist, vice president and general manager of LastPass, said that since 2011 LastPass made "a number of changes" to address issues with Chrome, including using IFrames everywhere in the browser. Siegrist also said the company previously didn't think the type of path used by LostPass posed a security issue to users. 

LastPass vulnerability debate

While LastPass argued that the LostPass attack did not involve a specific LastPass vulnerability, Cassidy disagreed and explained that the password manager's security controls were inadequate to prevent a logout CSRF flaw from being exploited. He explained he notified the company about LostPass in November and received a response last month.

"At first LastPass understood this bug to be mainly a result of the logout CSRF," he wrote. "Then they suggested it wouldn't work because of the email confirmation step."

However, the email confirmation process was previously required only for users that didn't have two-factor authentication enabled. Cassidy wrote that implementing email verification for all users logging in from new devices or locations "substantially mitigates LostPass, but does not eliminate it" because the LostPass attack could be changed to ask for an email address confirmation in the browser.

Cassidy said he decided to publish the LostPass attack to inform users and companies of what he describes as a "hard-to-fix and easy-to-exploit" LastPass vulnerability so they could respond to the issue and explore whether or not they had been victimized by a LostPass-type attack.

The LostPass attack underscores how vulnerable cloud users can be to simple phishing attacks that are designed to steal their account credentials. Several cloud security firms and experts have echoed concerns recently about how vulnerable cloud account credentials are to theft, and how attackers are targeting users rather than trying to break into the actual cloud provider's environment.

As a result, Cassidy called for a strong focus from the security industry on stopping phishing attacks and developing anti-phishing measures that are built into software. "Many responses to the phishing problem are "Train the users, "as if it was their fault that they were phished. Training is not effective at combating LostPass because there is little to no difference in what is shown to the user," Cassidy wrote. "We need to take a long look at phishing and figure out what to do about it. In my view, it's just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such."

Next Steps

Find out how an APT group used Dropbox for spear a phishing campaign

Discover how insecure mobile cloud backups put credentials at risk

Here's why cybercriminals have turned their attention to cloud service credentials

Dig Deeper on Public Cloud Computing Security