Weak passwords are one of the most common ways that hackers gain access to systems, and with so many different passwords necessary these days, remembering truly strong ones can be really tricky. Password managers are a fantastic way to avoid the problem – and greatly improve your chances of living a life without stress – with the benefit of strong, unique, uncrackable passwords for each of your many accounts. Now, however, a counterfeit browser notification for the popular password manager LastPass has come along to shatter that illusion, and fool users into handing over the keys to the kingdom: their master password.
The art of stealing a person’s vital information is called Phishing, and as time goes on hackers are becoming better and better at it, always finding new and improved ways to extract essential information from vulnerable Internet users. With that in mind, a security researcher called Sean Cassidy, CTO of cloud security firm Praesidio, decided to embark on a mission to create a phishing tool that would be convincing enough to fool LastPass users into making the fatal mistake.
On Saturday Cassidy revealed the fruit of his labor at the ShmooCon hacking conference in Washington, D.C., where he unveiled a phishing tool he calls ‘LostPass.’ The phishing tool relies on a phony LastPass notification that is so authentic that it has the power to fool users into typing in their master password (and if enabled their 2nd-factor authentication code too). So how does it work?
That click forwards the LastPass subscriber to a fake login page – which is also pixel perfect – and undetectable even to those with an exceptionally keen eye. At this stage, the unsuspecting computer user is prompted to enter their master password and 2-factor code, which is sent directly back to the hacker’s server. All that is left then is for the attacker to log on to the victim’s LastPass account using the stolen credentials where he or she gains full access to the victim’s entire repository of passwords.
At the hacking conference, the white hat hacker explained that the attack is successful because of something called Cross-site request forgery (CSRF), which makes use of LastPass’s trust in a user’s browser, and allows any compromised site to send the LastPass application a logout notification via the open API. Cassidy also explained that his Phishing experiment reveals the problem with having a browser-based password manager that encourages users to store a backup of their passwords on its servers. While having an encrypted vault of passwords online can be good for cross-device access (or syncing up a newly purchased device) Cassidy’s phishing exercise demonstrates that it is not as safe as password managers like KeePass, which only store the encrypted passwords on the user’s local device.
‘You don’t [need to] have access to a LastPass user’s machine, instead, you trick the user into giving you their credentials,’ says Cassidy in his online blog about the attack.
‘Once the attacker has the correct username and password (and two-factor token), download all of the victim’s information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker’s server as a “trusted device”. Anything we want, really.’
LastPass has been in communication with Cassidy about the problem since November, and the company has worked with the security researcher to solve the problem. A security update now stops Cassidy’s phishing tool from logging LastPass users out, and on top of that LastPass has created a ‘built-in security alert to let you know when you’ve entered your master password into a non-LastPass web form.’
The company, it appears, was happy to work with the white hat hacker despite the fact that they do not see eye to eye. Cassidy feels that being able to create a phishing tool that gives a hacker access to people’s vault of passwords is a weakness in the firm’s service. LastPass, on the other hand, considers phishing a direct attack on one of their subscribers rather than an inherent problem with its service. Cassidy is not happy with LastPass’s solution, explaining that a hacker could, in fact, use a website (in the same way as he did with his logout message) to suppress the new security alert,
‘We as an industry do not respond to phishing attacks well. In my view, it’s just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such.’
Explaining why the new notification is not good enough he adds,
‘On an attacker-controlled website, it is trivial to detect when this notification is added. Then the attacker can do whatever. In LostPass, I suppress the notification and fire off a request to an attacker server to log the master password.’
Despite the fact that LastPass has released LastPass 4.0 which upgrades the password vault, the LostPass phishing software’s code is available on Github right now and is capable of hacking the new version of LastPass. For this reason, anyone who receives a logout (or other) notification from LastPass is strongly advised not to click on it and to proceed manually instead to the LastPass website in order to log in, that way avoiding accidentally typing their master password into an attacker’s pixel-perfect counterfeit form. Alternatively, you can check that the page where you are asked to type your credentials starts with -chrome-extension:// – If it does then you are on the right page.
A final piece of advice for LastPass users is to switch from Chrome to Firefox. The reason for this is that in Firefox the phishing notifications are not identical to the official LastPass notifications, which in Chrome they are. This will give you a fighting chance of noticing that something untoward is happening.