Skip to main content

LastPass Vulnerable to Simple Phishing attack

Sean Cassidy, the CTO of Praesidio - a Seattle based startup that provides a real-time dashboard view of the cybersecurity tools a bank or credit union uses to help them understand and target potential threats - has revealed a clever attack against LastPass.

LastPass is a cloud based password management system, which allows you to safely store your passwords in a cloud based secure vault. Well, that was until Sean Cassidy revealed that Lastpass was actually vulnerable to an extremely simple but very convincing phishing attack.

Cassidy discovered the flaw when he clicked on a link in an email and LastPass software displayed an in-browser notification alerting him to an expired session and prompting him to login again. Alerted and suspicious of this notification in the browser, Cassidy suspected that he had just been Phished. As he said, “Any malicious website could have drawn that notification. Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well. Since LastPass has an API that can be accessed remotely, an attack materialized in my mind,”

Cassidy was then able to determine that LastPass was vulnerable to a CSRF (Cross-Site Request Forgery, which is a type of attack that occurs when a malicious web site causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The LastPass vulnerability meant that an attacker could present the victim with a banner asking them to login again, and because the banner could be exactly replicated using a simple look at the source code, the victim would be easily fooled.
Cassidy said, “Once the attacker has the correct username and password (and two-factor token), download all of the victim's information from the LastPass API.

"We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a "trusted device". Anything we want, really."