At ShmooCon on Saturday, Sean Cassidy, the CTO of Praesidio, demonstrated a clever attack against LastPass, which is possible thanks to a security trade off and easily spoofed UX elements.
Cassidy’s presentation at ShmooCon on Saturday morning outlined a clever Phishing attack against LastPass users, which is made possible due to design elements within the password manager’s core functions.
The attack, which doesn’t require any special skill or circumstance to accomplish, enables an attacker to steal a LastPass customer’s entire existence, as everything stored by the LastPass service is exposed. Cassidy discovered the flaw several months ago, after the LastPass software displayed an in-browser notification alerting him to an expired session and prompting him login again. In November security flaws in LastPass exposed user passwords. This notification was displayed after he had followed a link inside an email he’d recently received. The notification itself was displayed in the browser, leading Cassidy to suspect he’d just been Phished.
“Any malicious website could have drawn that notification. Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well. Since LastPass has an API that can be accessed remotely, an attack materialized in my mind,” Cassidy said.
An attack against LastPass can leverage compromised websites, or websites vulnerable to Cross-Site Scripting (XSS), and because it uses the exact visual elements of the LastPass users are trained to recognize and understand, they’re not going to be on alert or suspect an attack is taking place. LastPass was vulnerable to a CSRF that will log the user out, and enable an attacker to display a fake banner that prompts them to enter their credentials. The banner itself is an exact clone of the real one, and users are used to this visual cue, which means they wouldn’t hesitate to do as it asks.
Once the victim clicks on the banner, they’re directed to a malicious page that looks identical to the normal LastPass login prompt, because it uses the actual design elements created by LastPass. Cassidy was able to obtain the proper visuals with cut and paste; he simply used view source on the webpages when the legitimate prompts were displayed.
Once the login credentials are entered, the information is passed to the LastPass API and verified. If the account requires two-factor authentication, the attacker can direct the user to a second page that will offer an exact copy of the two-factor prompt. If the credentials are invalid, the user will be directed to the malicious page and the display banner will report the error as expected.
“Once the attacker has the correct username and password (and two-factor token), download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a "trusted device". Anything we want, really," Cassidy wrote in a post-talk overview.
LastPass had a measure that was supposed to stop attacks like this, as it would email the user with an alert any time a new IP address attempts to login. However, if the user has two-factor enabled, then the emailed warning isn’t delivered, leaving the user unaware that anything has happened. “I think that the security industry's view of Phishing is naive at best, negligent at worst. Phishing is the most dominant attack vector and is used by everyone from run-of-the-mill CryptoLocker types to APTs,” Cassidy wrote.
“The real solution is designing software to be Phishing resistant. Just like we have anti-exploitation techniques, we need anti-Phishing techniques built into more software. Software security evaluations should also include how easy it is to Phish said software.” In a statement to Salted Hash, Joe Siegrist, VP and GM of LastPass, said that the company worked with Cassidy and confirmed the issue was a Phishing attack and not a vulnerability in LastPass itself.
He also said the company released an update that “will prevent a user from being logged out by the Phishing tool, thereby the mitigating the risk of the phishing attack. In addition, LastPass has a built-in security alert to let you know when you've entered your master password into a non-LastPass web form.” The good news is, the patch did fix many elements of the Phishing issue. But the bad news is, it didn’t fix it completely. In fact, it made the issue worse on some levels.
“I was happy they acknowledged the issue, but I was disappointed that they said it wasn’t a vulnerability in LastPass itself. I do think it’s a vulnerability in LastPass. It leverages a vulnerability in Chrome, and it uses how Firefox does pop-up windows, but ultimately LastPass is responsible for the security of their users, and I feel they have to own it,” Cassidy said in an interview after his talk.
The patch fixed the CSRF vulnerability on Chrome, but it also implemented a feature that highlights when a user enters their master password, by generating the warning alert in the same window that the attacker can control. “So I actually can detect when [LastPass] puts that message in there, and now I know your master password. I don’t even have to ask LastPass for it [via API], I know it now, because LastPass [via the alert] told me what it was.”
If the attacker wishes to do so, the warning issued by LastPass can be suppressed, the master password recorded, and the user can be forwarded to a new domain, secondary form, or anywhere else. Since the warning was suppressed, they wouldn't know their master password was exposed. At the end of his talk on Saturday morning, Cassidy released LostPass - a tool that will demonstrate the attack and enable others to replicate it – on Github.