Internet Storm Center Infocon Status

Search ISU Security

RSSSubscribe to the RSS Feed
ISU Information Security

LastPass Password Management Service possibly vulnerable to web attack

Thursday, January 21, 2016 15:19

Warn_GlobeA security researcher has found password management service LastPass is vulnerable to a certain web attack. The attack uses compromised websites and phishing style trickery to fool a LastPass user into giving up their login information.

    The attack

  1. The attack has your browser send a request to log out LastPass, then sends a notice to your browser that LastPass was logged out using a fake browser-banner.
  2. Clicking on the banner notice takes the victim to a fake login for the LastPass plugin. Where, if the user fills in the login, the attacker can harvest the user’s Lastpass login info.
  3. If a user has two-factor authentication enabled for their LastPass account, the attacker’s script will re=direct the user to a two-factor prompt and continue the attack from there.
  4. Once the attacker has the user’s credentials, they can log in to the LastPass account as the user and access the victim’s data.
    How can a user defend against possible compromise.

  • When visiting a webpage, if you are informed that LastPass has logged you out, via a browser banner, do NOT click the banner link. Instead, close the webpage, then open the Lastpass browser extension directly or visit the LastPass webpage to log back in to LastPass.
  • If, when visiting the same page, you get a browser-banner notification that you’ve been logged out again, the webpage (not necessarily your LastPass account) may have been compromised.

Mitigation

The security researcher responsible for this information points to this as a failure in how LastPass handles login and logout. It should be noted that LastPass has implemented an email verification step to their login/logout process to mitigate against this attack.

It should also be noted that the attack appears to be most effective using Google Chrome, as the extension’s windows, banners, and URL can be mocked up pretty effectively using very simple tools. This does not mean the attack cannot successfully be pulled off in Firefox or Safari

Related Links

The original paper on the attack.

LastPass’ FAQ page on the attack