Remembering passwords is difficult nowadays. Between all of the crazy site-mandated requirements and the directive of never reusing the same password on multiple sites, the human brain is outmatched. It is for this reason that I, and many others, swear by password managers. Not only do they securely store login credentials, but can generate ultra-secure passwords too.
While there are many companies that offer such solutions, I stick with LastPass. Why? Linux. Yes, LastPass is one of the only solutions that works with all major operating systems, including Linux distributions. By default, many users of Ubuntu, Fedora, Chrome OS, and more, choose LastPass because there aren’t many other options. Sadly, today, it is revealed that this password manager is at risk of a nasty phishing vulnerability. The author, Sean Cassidy, has published details about what he has dubbed ‘LostPass’.
“I have discovered a phishing attack against LastPass that allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. I call this attack LostPass. The code is available via Github. LostPass works because LastPass displays messages in the browser that attackers can fake. Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and login screen”, says Sean Cassidy, CTO, Praesidio.
Cassidy further explains, “a few months ago, LastPass displayed a message on my browser that my session had expired and I needed to log in again. I hadn’t used LastPass in a few hours, and hadn’t done anything that would have caused me to be logged out. When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification”.
True, this is not a hack of LastPass — its servers have not been compromised, but it is showing a flaw in design that can be exploited. Scary stuff indeed. Ultimately, LostPass is a proof of concept showing how easy it is to trick users into handing over their master password and email address. Keep in mind, once a bad guy gets access to a user’s email address and master password, they can download the entire vault — this includes login credentials, private notes and even both bank account and credit card information too. This could really wreak havoc on someone’s life.
While many would be quick to blame users for being stupid, Cassidy says not so fast. He shares the below key reasons that LostPass can be very effective.
Many responses to the phishing problem are “Train the users”, as if it was their fault that they were phished. Training is not effective at combating LostPass because there is little to no difference in what is shown to the user
LastPass’s login workflow is complex and somewhat buggy. Sometimes it shows in-viewport login pages, and sometimes it shows them as popup windows
It is easy to detect LastPass and it was even easier to find the exact HTML and CSS that LastPass uses to show notifications and login pages
It even phishes for the two-factor auth code, so 2FA is no help
You can read a step-by-step explanation of the LostPass vulnerability here. If you want to take a peak at the source code, it is hosted on GitHub here. As you can see, even the most mindful and security-focused computer experts could be fooled, as the fake login looks identical.
LastPass works so well across multiple operating systems because it is a browser-based extension — that is why many Linux users love it. Sadly, according to Cassidy, the password-manager’s most attractive aspect is what makes it so insecure in this regard.
A native application would be the preferable design to minimize the potential of phishing scams. Unfortunately, depending on how serious you consider this design flaw, it may mean going with an alternative solution with native applications, such as 1Password, until the company can overhaul LastPass.