News: The attack bypasses two-factor authentication.
LastPass has updated its login requirements, in the wake of a major security flaw being exposed that uses a mirror phishing attack to steal credentials and could bypass two-factor authentication (2FA).
The cloud password storage software has now introduced mandatory sign in requirements. Users who have set up two factor authentication have to approve the device they are signing in from via their registered email account to sign into the service.
Furthermore, the company says it now prevents malicious websites logging users out of LastPass, and will warn users if their master password for the service is entered on a non Last Pass page. It will also warn users when it detects their master password is being used as a password for other websites, and is looking to bypass the viewport at the top of a webpage to "eliminate the risk that it presents in phishing attacks."
It comes after security Researcher Sean Cassidy exposed a very easy mirror phishing attack that can bypass two factor authentication.
Such an attack on LastPass is highly concerning to users, who use the service to store multiple complex passwords, often to protective other sensitive accounts and data.
Outlining the attack, which he calls LostPass, before presenting it at SchmooCon in Washington DC, Cassidy wrote that the idea for the attack occurred after he had been prompted to login to LastPass after receiving a notification that his session had expired.
"When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification," he said.
Cassidy then formulated an attack whereby the attack will "get the victim to go to a malicious website that looks benign, or a real website that is vulnerable to XSS." Users are unlikely to be watching out for security flaws, as the website is known to be secure.
Once the lostpass.js code is dropped, if the user is found to have a LastPass account, the login expired notification is shown, and the user logged out of the service. Cassidy notes that "LastPass is vulnerable to a logout CSRF, so any website can log any user out of LastPass."
Victims are then directed to a convincingly designed fake login page that is controlled by the attacker, where they enter their login credentials, which are captured by the attacker.
Critically, the attackers’ server can check if those credentials are right by calling the LastPass API, which also checks if two-factor authentication is required. A user who enters incorrect details is sent back to the malicious website, while a user who has two factor authentication switched on is redirected to a website which prompts them to enter a two factor authentication code.
The hacker then downloads the credentials and 2FA code using the LastPass API.
Cassidy says that "Training is not effective at combating LostPass because there is little to no difference in what is shown to the user," and highlights the fact that "2FA is no help". He describes LastPass’s login workflow as complex and somewhat buggy", and says that it was easy to detect LastPass and find the HTML and CSS code to mimic the service.
The firm itself says: "LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM."