LastPass, the most popular password manager is susceptible to phishing attacks. A LastPass phishing vulnerability was recently uncovered, which could spell disaster for some LastPass users.
Could your password manager be spoofed?
One cybersecurity problem faced by business users and consumers alike is how to keep track of an increasing number of passwords. Password sharing between websites is big security no-no and for maximum security passwords must be complex and changed frequently.
A secure password needs to contain a mix of capital and lowercase letters, non-sequential numbers, special characters, and ideally should be 11 characters long. It must not include any personal information or dictionary words. In short, each password must be next to impossible to remember. Just in case you do manage to memorize it, it is essential to change it often. At least every three months, but preferably every month.
The solution for many people, business users alike, is to use a password manager. This has the advantage of remembering your passwords for you, although it has the disadvantage of exposing every one of your passwords should the unthinkable happen and the password manager be hacked.
Fortunately, when it comes to the latter, the chances are very slim. Password managers are robust and secure, right? Well that would depend on which password manager you use. If you use LastPass for instance, the most popular password manager, those passwords may not be quite as secure as many people think.
At last weekend’s ShmooCon conference, Praeside Inc., CTO Sean Cassidy demonstrated a LastPass phishing vulnerability and showed just how easy it is to spoof the LastPass password manager and obtain login credentials. The bad news is the technique is so effective it is highly unlikely that the user would even know that his or her password has been compromised.
LastPass phishing vulnerability can be exploited with very little skill
The LastPass phishing vulnerability is easy to exploit and has left many security professionals wondering whether this technique is already being used by cybercriminals to gain access to passwords. LastPass has announced that it has patched the problem and has increased security to make it harder for user details to be phished.
Cassidy discovered the LastPass phishing vulnerability some time ago. When logged out, or when a session expires, a browser notification or viewport is displayed requesting the user log back in. However, what happens if that browser window is spoofed? If the user can be redirected to a malicious website where a spoofed version of that browser window is displayed, they could be fooled into entering their login name and password, revealing it to the phisher.
If the spoofed viewport was convincing the user would enter their credentials and be none the wiser that they had been phished. Cassidy set out to prove this by creating an exact copy of the LastPass login screen and using it on a site he had purchased called chrome-extension.pw. The login screen was not just realistic; it was an exact copy. Cassidy took it from the source code of the webpage. It was identical to the real login prompt in every way.
LastPass phishing vulnerability used to capture login credentials
If the user is logged out with a known Cross-Site Request Forgery (CSRF), a spooked viewport can be displayed. Instead of being taken to the real site, they are directed to a page that just looks like the LastPass one. When the login details are entered they are sent to the LastPass API and are verified. The user will be unaware, and the attacker would have the master password. Even if 2FA is enabled a similar process can be set up to get the second authentication factor.
According to Cassidy, a security measure designed to alert the user if their account has been accessed from an unusual IP address would not be triggered if 2FA had been enabled on the account.
LastPass has now made a change and the email alert will be sent to the user regardless of whether they have 2FA set up or not. Should they be phished, they will at least be aware of it. LastPass has also blocked websites from logging users out and further security measures are planned that will notify users bypassing the viewport.
However, since Cassidy has released the tool that demonstrates the LastPass phishing vulnerability and how it can be exploited, it is possible that other attackers could take advantage and create their own versions. LastPass has issued a statement confirming that with the email verification corrected and a patch issued to resolve other security vulnerabilities, the issue is resolved. It would only be possible for the phishing attempt to succeed if the user’s email account has been compromised.
