The proof-of-concept attack has been dubbed “LostPass” by researcher Sean Cassidy, chief technical officer at cloud security company Praesidio. LastPass is a popular password manager that lets the user store all their online account details in one place, protected by a single root password, to simplify website log in processes. The flaw was found in the Google Chrome extension version of LastPass.
Periodically, the LastPass extension requires the user log in again to verify they are still the person using the computer. A message is displayed in the browser notifying the user that their session has expired, providing a link to get back to the login page.
The issue with this is the warning is displayed as part of the webpage currently loaded in the tab. An attacker could easily fake the warning on any malicious website they create, tricking users into thinking their LastPass session has expired. The link could be redirected to a customised log in page and the user’s root password harvested from there.
The hard work in creating the fake log in page has already been done for the attacker by LastPass. Cassidy found the code and styling resources used for the page are very easy to extract from the extension’s source, giving the hacker an exact clone of the actual log in page to use where they see fit.
Cassidy said: “LostPass works because LastPass displays messages in the browser that attackers can fake. Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and login screen.”
In the proof-of-concept exploit outlined by Cassidy, the computer user would never notice anything unusual about any of the LastPass pages presented. They would click the fake banner notification in the browser and enter their details in the attacker’s login page. These would then be ferried off to a server for storage and used later on to steal the LastPass database from the computer, using the service’s public API.
LastPass has now responded to Cassidy’s initial report of his phishing attack, sent to the company in November 2015. It has implemented a new login method which requires the user click a link sent to their email address before logging in from a new IP address, something Cassidy says “substantially mitigates LostPass, but does not eliminate it.”
LastPass claims that LostPass does not expose a vulnerability in its software, something Cassidy disagrees with. He calls the attack “trivial” to implement, noting that the security industry takes a dim view of phishing attacks against established companies, especially ones that offer services designed to protect user data.
Technically, Cassidy hasn’t hacked LastPass but his demonstration does highlight how convincing a setup an attacker could create using just the resources the company provides. LostPass is a very sophisticated phishing attack that LastPass users should beware of while the company works out a long-term plan to secure its login process.
