Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com)

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: Security researcher Sean Cassidy has developed a fairly trivial attack on the LastPass password management service that allows attackers an easy method for collecting the victim's master password. He developed a tool called LostPass that automates phishing attacks against LastPass, and even allows attackers to collect password vaults from the LastPass API.

19 of 146 comments (clear)

  1. after reading the details, this is significant by raymorris · · Score: 5, Informative

    I read through the details and this is pretty significant. It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser, but it was demonstrated that even that isn't sufficient. This looks like a significant problem for Lastpass and any others with a similar UI.

    For anyone who doesn't care to read the details, here's the crux of the problem:

    Lastpass prompts for the master password -within- the browser window. Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog, so users can't tell the difference. Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.

    1. Re:after reading the details, this is significant by reve_etrange · · Score: 5, Informative

      It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).

      --
      .: Semper Absurda :.
    2. Re:after reading the details, this is significant by ArmoredDragon · · Score: 4, Interesting

      Lastpass is an addon/extension overlay, meaning there is no URL.

    3. Re:after reading the details, this is significant by Aighearach · · Score: 2

      Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog

      If popups are still a thing, that is much more shocking than the supposed "vulnerability."

      I know there are serious professionals actually claiming that password managers make you more secure, but it seems obvious that having a single point of failure based on trust introduces a major vulnerability.

      IMO the vulnerabilities involved are:

      1. Running browsers that allow pop-ups.
      2. Creating a single point of failure based on un-audited trust.
      3. Using a networked password manager that not only can communicate over the network but actually has an API for it. The API stuff is useful for enterprise login management, but that is a different use case than these password managers, and it should be in a different product. All that stuff should be done with traditional solutions, because they already work and are easy to run on a private network and integrate into network security.
      4. Willingness of users to run fairly new software intended to protect security. If it is less than 15 years old, it hasn't even finished beta testing yet. That is the attitude that security requires. If you don't believe me, just check the security news the past 2 years. ;)
      5. Separately from the general problem of networking, the specific feature of browser synchronization is exceptionally dangerous. There is no way ever to know how secure you are. Even code audits wouldn't help, because browser software is updated too frequently to know if new vulnerabilities have been created within the browser extension capabilities.
    4. Re:after reading the details, this is significant by Frosty+Piss · · Score: 2

      Disagree and this comment makes me sad. What you're arguing is because of Chrome's (large) user base, it's not liable to be a good citizen and follow standards/procedures...

      NOT AT ALL!

      I'm saying that if you put a SECURITY product out and don't test it on all the available browsers, your product is crap. It's not secure on one of the most popular browsers, why would they design it that way?

      --
      If you want news from today, you have to come back tomorrow.
    5. Re:after reading the details, this is significant by drolli · · Score: 2

      Generation iphone: first complain, then right-click. Then complain that the option was intentionally hidden.

  2. Re:Slashdot vulnerable to extremely simple attack by Anonymous Coward · · Score: 3, Funny

    Everybody can write stupid comments, and nothing at all can stop them!

  3. Re:Password managers continue to be dumb by jopsen · · Score: 2

    Either you can remember a lot of passwords or you can't. If you can't, just use the same password everywhere. It's as effective as using a "master" password.

    Putting 2fa on the vault seems like a sane thing to do... Also it's fewer places that can leak your "master" password... Ie. only lastpass has your master password, so it's only if they get compromised that it is leaked.. .And they hopefully hash passwords properly... Can't say I believe every other random site hashes passwords correctly.

    Also once the browser session is authenticated you shouldn't need to do lastpass again, right?... So you type your master password fewer times.
    Honestly, I've been planning to move to password manageing system... like lastpass. It doesn't magically fix all attack vectors, but reduces a lot.

  4. Re:Password managers continue to be dumb by bhiestand · · Score: 2

    Either you can remember a lot of passwords or you can't. If you can't, just use the same password everywhere. It's as effective as using a "master" password.

    Putting 2fa on the vault seems like a sane thing to do... Also it's fewer places that can leak your "master" password... Ie. only lastpass has your master password, so it's only if they get compromised that it is leaked.. .And they hopefully hash passwords properly... Can't say I believe every other random site hashes passwords correctly.

    Also once the browser session is authenticated you shouldn't need to do lastpass again, right?... So you type your master password fewer times.

    Honestly, I've been planning to move to password manageing system... like lastpass. It doesn't magically fix all attack vectors, but reduces a lot.

    ^ This. I have 2FA on my email and on lastpass. Email and LastPass both have separate passwords. I also have 2FA on the banks I care about. I also receive instant text/email about significant transactions.

    Every site has its own, extremely complex unique password. Most of the sites I really care about also require email confirmation of any security-significant changes.

    So to really do anything with my accounts, you need all of my lastpass passwords, my 2FA for email, my email password, and you have to do it in such a way that I won't notice (either receiving the email notifications or losing access to my email) before I can stop you.

    I'll call this "good enough"

    I also click on the lastpass icon to login... not sure how anyone could fake the login modal coming out of the extension like that. I'm guessing this doesn't apply to me because I'd hit cancel and go to my normal method.

    --
    SWM seeks new sig for a brief fling
  5. We did this in 1975 on a Burroughs B5500 Timeshare by Wheels17 · · Score: 2

    I laughed when I went to his page and saw the description of the attack. We were timesharing on a B5500 at a major university and found the way to find active but un-logged in terminals and take control. When the login sequence was keyed in, we'd pop up a page identical to the proper login screen and ask for credentials. We'd write to a file, post the proper user ID but a wrong password to the system, and disconnect. The system would reply with the standard wrong password prompt, and the user would figure they just fat fingered the password and was none the wiser. We collected user IDs and passwords of nearly 90% of the people on the system, before we chickened out and deleted the application and the database. I don't think the system folks ever knew it happened.

  6. Re:Seems like time to consider the alternatives by Duckman5 · · Score: 4, Informative

    keepass is cross platform, using the same file on Linux/Win/Android/MacOS. You can store the encrypted database in a cloud-based service like dropbox and have a highly portable system for password storage on-line & off-line.

    That's what I do. For added security, I have a key file that I never put online and only stored locally on my laptop/phone. That way, even if someone gets my database AND somehow intercepts my password they're still out in the cold.

    KeeCloud is a good place to start. Then just pick a browser integration plugin and you're off. For android, Keepass2Android is a good choice, too. It has an integrated keyboard that will directly type the username and password into the browser (or app) so you can avoid all those clipboard stealing exploits.

  7. Lastpass TFA actually makes the hack easier by raymorris · · Score: 2

    The way Lastpass implements 2-factor, it actually makes the hack EASIER.

  8. not exactly, see Firefox screenshot by raymorris · · Score: 4, Insightful

    The blog entry in which the guy describes the attack has a screenshot of the attack in Firefox. The screenshot also includes a legitimate Lastpass dialog, showing that the fake looks -exactly- like the real Lastpass dialog.

    The thing is, the browser can draw something that looks exactly the same as an OS dialog, and it can be dragged around just like the OS dialog. The difference shows up only if you minimize the browser, or already have the browser window small and you then try to drag "the Lastpass" dialog far enough that it's no longer "in front of" the browser window.

    1. Re:not exactly, see Firefox screenshot by TheRaven64 · · Score: 2

      There is a well-known defence against this kind of attack. You don't put up generic dialog boxes like this. When the user configures the app, they should provide a picture or a pass phrase, which is displayed in the dialog box whenever it appears. If the dialog does not contain that picture / phrase, then the user knows that it's not the one for their system.

      --
      I am TheRaven on Soylent News
  9. Re:We did this in 1975 on a Burroughs B5500 Timesh by l0n3s0m3phr34k · · Score: 2

    If you have physical access to the terminal, eventually you can come up with a system to defeat almost all security.

  10. LastPass's Response by hawkeey · · Score: 5, Informative

    Here's the response from LastPass:
    https://lastpass.com/support.p...
    (I think this link should be in the main summary for balance)

    As for Google Chrome, LastPass asks that you star Issue 39511 for extension infobars outside the DOM. Specifically here's LastPass asking for improvement in Chrome January 12th, 2012:
    https://code.google.com/p/chro...

    I am NOT affiliated with LastPass.

  11. I wish. See the Firefox screenshot by raymorris · · Score: 3, Informative

    Check out the Firefox screenshot that the researcher included. On Firefox the fake dialog still looks exactly like the legitimate dialog. It looks just like an OS window that has popped up in front of the browser window. You'd only know something was amiss if you tried to drag out to a different part of the desktop so it was no longer "in front of" (actualy within) the browser.

  12. on random sites, and reveals other passwords by raymorris · · Score: 2

    Slashdot requests a password in the browser, but it's not affected the same way. First, Lastpass throws up a password prompt ON OTHER WEB SITES. You wouldn't enter your banking password on Slashdot.org. However, if Lastpass stores your bank Slashdot password, Lastpass will pop a dialog on Slashdot. You'll then enter your master password into "Lastpass" while you're on Slashdot. With any web-based service, you'd enter your password only on the legitimate site. Lastpass users enter their master password on arbitrary sites.

    Secondly , getting the user to enter their ONE Lastpass master password allows the attacker to retrieve ALL of the passwords, for all other sites. So if you use Lastpass, an XSS attack against Slashdot would reveal your banking password.

  13. Re: Seems like time to consider the alternatives by bill_mcgonigle · · Score: 2

    Keep /home on luks, use a screen locker, and configure LastPass to remember the master password. It will tell you that's less secure. Yeah, for less likely attacks - spoofing predictable chrome has been around for more than a decade. x11 apps can already steal your passwords, so minimizing keyboard input of them is important until Wayland.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)