Nmedia - Fotolia

LostPass security researcher questions LastPass responses

The security researcher behind the LostPass phishing attack on LastPass has criticized the company's reaction and responses to his findings.

The security researcher behind the "LostPass" proof-of-concept attack on cloud-based password manager LastPass has questioned the company's reaction and public statements to his research.

Over the weekend, Sean Cassidy, CTO of cloud security startup Praesidio, delivered a presentation at hacker conference ShmooCon in Washington, D.C., about a simple phishing attack that could bypass LastPass security controls and obtain users' credentials. Specifically, the LostPass phishing attack used a logout cross-site request forgery to trick users into clicking on fake LastPass notifications in their browsers, which would then send them to an attacker-controlled replica of the LastPass login page that would prompt users for their email addresses, master account passwords and even their two-factor authentication codes.

Following the LostPass presentation and an accompanying blog post from Cassidy, LastPass responded Monday with a public statement on its website, which addressed LostPass and included changes to the company's security controls.

The primary change was made to the email verification system. Previously, LastPass required users who had not enabled two-factor authentication (2FA) to perform an email verification process when logging in from new devices or locations, but users that had 2FA enabled were exempt from this requirement. Following the LostPass presentation, LastPass now requires all users to perform the email verification step, which both the company and Cassidy said will significantly mitigate a LostPass-type attack.

But since Monday, a number of discrepancies arose between the two sides. In an email to SearchSecurity, Joe Siegrist, vice president and general manager of LastPass, questioned Cassidy's statement that he informed the company of the research in November. "Our team does not have a record of him contacting us in November, but upon receiving his report in December, we took immediate action," Siegrist said.

Cassidy contested this claim. "I provided LastPass additional proof of my contacting them in November and they haven't responded," Cassidy said in an email to SearchSecurity. "I don't know why this is a sticking point for them."

Siegrist was asked by SearchSecurity why LastPass waited until after Cassidy's public presentation on LostPass to address the issue. "Unfortunately, it wasn't clear until his public presentation that the additional change to email verification was needed," Siegrist said.

Cassidy said he tried to communicate with LastPass in December about how to address the issue, but to no avail. "When they responded to my report in December, I expected that to start a dialogue where we could fully investigate the issue together. However, that didn't happen," he said. "After LastPass saw my talk in the ShmooCon schedule, they must have realized that they needed to address this and reached out. Through our dialogue in the week preceding ShmooCon, we figured out that the email verification fix was necessary."

There were other disagreements between LastPass and Cassidy. In its public statement on LostPass Monday, the company said it was "working to release additional notification options that bypass the viewport and, therefore, eliminate the risk that it presents in phishing attacks." Siegrist further clarified that statement to SearchSecurity, saying that LastPass began working on those options prior to the public reveal of LostPass, but not prior to Cassidy's private disclosure to LastPass.

Cassidy, however, said LastPass told him something different. "This seems specious. In my dialogue with LastPass last week, their developers said they had no interest in changing how they display their notifications, even after they fully understood how LostPass works," Cassidy said. "I bet that has changed with the public outcry LostPass has caused. This could have been fixed well before my public disclosure, but they chose to not engage with me soon enough."

Cassidy also took issue with LastPass' characterization of the browser viewport-notification issue, which the company appeared to put squarely on Google. LastPass said it has "encouraged Google for years" to allow developers to avoid having to use the browser viewport for notifications.

"As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the [Document Object Model]," LastPass said. "You can see our plea for this back in January 2012, with still no resolution; please star this issue to help us raise awareness."

The company linked to a Chromium page with developer feedback on infobars and notification issues with Chrome, in which a community member purportedly employed by LastPass makes a plea for infobars in Chrome and claims, "This is a chrome security issue, too."

But Cassidy said this doesn't absolve LastPass of responsibility, and instead just adds more questions about why the company didn't take additional steps to address issues with Chrome viewport notifications. "If you knew about the problem since 2011 and did nothing but add a comment to a Chrome issue, are you really looking out for your users?" he said

SearchSecurity asked LastPass why it continued using viewport notifications in Chrome for years if it knew the notifications were problematic and presented potential security issues. Siegrist said the company took steps to address some of the problems with Chrome notifications, but hadn't anticipated the type of attack outline in Cassidy's LostPass attack.

"In 2011, our team made a number of changes to reduce the impact of these deficiencies in the browser. Our changes included using IFrames everywhere, limiting what was asked for and offered in those dialogues, and more," Siegrist said. "The particular path covered in his research wasn't previously thought to pose an issue, as users would typically click the LastPass extension icon to log in."

Cassidy said that he "immediately saw the problem and its severity" upon receiving a LastPass notification in his browser viewport recently, but he conceded that others may not have. Still, Cassidy found LastPass' official response to be lacking, not only because the company put much of the blame on Google, but also because it didn't address the LostPass attack on Firefox.

In addition, Cassidy said he reported another finding to LastPass and has yet to hear back from the company. Specifically, he said that one of the mitigations LastPass introduced to address LostPass, which sends security alerts when users type in master passwords on non-LastPass webpages, can be manipulated by attackers using a LostPass-type scheme, because those alerts are still shown in the browser viewport.

While Cassidy said previously in his blog post that he doesn't blame LastPass for being vulnerable to phishing attacks, he did criticize the company's response to his research and its characterization of the issue.

"If LastPass was more proactive and worked with me earlier, I would have been happy to help them, and we would have fixed this in December -- not a day after my [ShmooCon] talk," he said. "To be honest, it seems like they never took my work seriously."

Next Steps

Read about how the LastPass data breach exposed hashed passwords

Discover why the Spy Banker Trojan took advantage of Google cloud servers

Find out how an APT group used Dropbox for a spear phishing campaign

Dig Deeper on Public Cloud Computing Security