Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

LastPass Vulnerable To Extremely Simple Phishing Attack ( 146

An anonymous reader writes: Security researcher Sean Cassidy has developed a fairly trivial attack on the LastPass password management service that allows attackers an easy method for collecting the victim's master password. He developed a tool called LostPass that automates phishing attacks against LastPass, and even allows attackers to collect password vaults from the LastPass API.
This discussion has been archived. No new comments can be posted.

LastPass Vulnerable To Extremely Simple Phishing Attack

Comments Filter:
  • by raymorris ( 2726007 ) on Sunday January 17, 2016 @09:17PM (#51319839) Journal

    I read through the details and this is pretty significant. It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser, but it was demonstrated that even that isn't sufficient. This looks like a significant problem for Lastpass and any others with a similar UI.

    For anyone who doesn't care to read the details, here's the crux of the problem:

    Lastpass prompts for the master password -within- the browser window. Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog, so users can't tell the difference. Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.

    • Isn't this a pretty standard "hack"? If LastPass missed this issue, what else is sketchy?

      • by reve_etrange ( 2377702 ) on Sunday January 17, 2016 @09:34PM (#51319903)
        It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).
        • It's really a Chrome issue, on Firefox LasPass uses an OS dialog...

          Sure, understood, but that makes is a design issue with LastPass, especially seeing as how Chrome has by far more users than Firefox.

          • I switched back to FF about 6 months ago. Chrome for me, started slowing down.
        • by raymorris ( 2726007 ) on Monday January 18, 2016 @12:26AM (#51320363) Journal

          Check out the Firefox screenshot that the researcher included. On Firefox the fake dialog still looks exactly like the legitimate dialog. It looks just like an OS window that has popped up in front of the browser window. You'd only know something was amiss if you tried to drag out to a different part of the desktop so it was no longer "in front of" (actualy within) the browser.

          • FTA "It is harder to spoof in Firefox, where I had to draw each OS's native widget manually"

            If the user uses ANY customized desktop theme on Windows, these pop-ups are going to look totally alien to the user.

            Finally, a valid use for the Windows Classic theme.

        • It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).

          Also in TFA, he was able to pretty effectively fake the OS dialog. Most people would be fooled.

    • It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser

      That's already the case in Firefox. The exploit only effects chrome, and even then you can always check to make sure the URL says "chrome-extension" and not something similar.

      • by raymorris ( 2726007 ) on Sunday January 17, 2016 @11:29PM (#51320225) Journal

        The blog entry in which the guy describes the attack has a screenshot of the attack in Firefox. The screenshot also includes a legitimate Lastpass dialog, showing that the fake looks -exactly- like the real Lastpass dialog.

        The thing is, the browser can draw something that looks exactly the same as an OS dialog, and it can be dragged around just like the OS dialog. The difference shows up only if you minimize the browser, or already have the browser window small and you then try to drag "the Lastpass" dialog far enough that it's no longer "in front of" the browser window.

        • by ZeRu ( 1486391 )
          You could have LastPass remember your e-mail and autofill it for you when it prompts you for the master password. A phishing site typically won't know your e-mail, unless they asked you for it (as a part of registration process, for example). I suggest using different e-mail than the one you use for your LastPass Account for every site that requires a password. If you're on Gmail adding "+[domainname]" to your Gmail username is enough, since Gmail ignores everything after a plus sign.
          • There is a well-known defence against this kind of attack. You don't put up generic dialog boxes like this. When the user configures the app, they should provide a picture or a pass phrase, which is displayed in the dialog box whenever it appears. If the dialog does not contain that picture / phrase, then the user knows that it's not the one for their system.
    • Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog

      If popups are still a thing, that is much more shocking than the supposed "vulnerability."

      I know there are serious professionals actually claiming that password managers make you more secure, but it seems obvious that having a single point of failure based on trust introduces a major vulnerability.

      IMO the vulnerabilities involved are:

      1. Running browsers that allow pop-ups.
      2. Creating a single point of failure based on un-audited trust.
      3. Using a networked password manager that not only can communicate over the netw
    • It is significant, but I think I have to point out the context here. This is not a Lastpass specific issue. ANY service that prompts for a password within the browser is subject to this attack. It just so happens that the Lastpass service is pretty damn important.
      • Slashdot requests a password in the browser, but it's not affected the same way. First, Lastpass throws up a password prompt ON OTHER WEB SITES. You wouldn't enter your banking password on However, if Lastpass stores your bank Slashdot password, Lastpass will pop a dialog on Slashdot. You'll then enter your master password into "Lastpass" while you're on Slashdot. With any web-based service, you'd enter your password only on the legitimate site. Lastpass users enter their master password

    • Would setting up two factor authentication thwart that?

    • by mysidia ( 191772 )

      Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.

      Unless the user has 2FA enabled.....

      • Unless the user has 2FA enabled.....

        From TFA:

        Attacker can intercept 2FA codes

        Additionally, the attacker can even check these credentials against the LastPass API, verify their accuracy, and even ask the user for the two-factor authentication code if this feature is turned on.

        If everything is correct, and all the codes verify through, using the same LastPass API, an attacker can collect any data from the user's account he wants, including the password vault.

      • "Even if the user has 2FA enabled.....


    • Well , we all know that too much management is generally counterproductive.
    • Similar issue exists somewhat with any app, how do I know an app used HTTPS to send username/passwords etc? I realise I could know using fidler or similar, but I mean how do you do those basic checks in an app?
    • by AmiMoJo ( 196126 )

      Why would you use LastPass anyway? It seems like a really dumb idea to rely on a cloud service for passwords.

      I use KeePass. It can optionally sync its database with a file on Google Drive, which I suppose is the cloud, but crucially it runs everything locally and outside the browser process. Much less vulnerable to this kind of attack.

      I never understood the attraction of LastPass. It just seems to charge you money to create a bigger attack surface, and put your credentials at risk.

    • by N1AK ( 864906 )
      Thanks for the summary. Though I'm not sure why it's seen to be such a big issue. Firstly LastPass supports multiple two-factor authentication methods, so even if someone using this fell for it you still couldn't access their vault. Secondly, there's a LastPass icon on the topbar of the browser. It is red if you are logged in, and greyed out if you are not, and you have to click it to bring up the password prompt. If I saw the login prompt with a red icon I know something is wrong, if I see the prompt witho
      • by N1AK ( 864906 )
        To respond to myself, reading a bit more into this the problem is bigger than the previous summary says. The exploit is able to make LastPass logout, making the prompt and even request for the 2nd factor code less suspicious. In short, although it requires users to miss a couple of reasonably subtle signs this is a real security shortcoming that they need to address.
    • So, theoretically, all you'd have to do is sign in with a blank tab in focus? Those shouldn't have any sort of copy of the login dialog.
  • Systems like Lastpass are designed to keep passwords in an online repository and allow users to have different passwords for each service. In principle, this might actually be a better security model. However, it really isn't because it creates a single point of failure and provides a false sense of security. Keyloggers make it pretty easy to collect passwords from unsuspecting users who might not take security as seriously when Lastpass makes them feel secure. You're also placing your trust in the security

    • Relying on a single re-used password is worse than relying on a single password service. If a re-used password is compromised, all of your services are compromised - the same result as if your password service is compromised. However, the "surface area" for attacking the re-used password is much larger. To compromise the re-used password, you only need to compromise one of the sites on which it is used, so the attacker has more sites to pick and choose from and more potential vulnerabilities.
      • Whereas if they reuse 2 passwords instead of just one, they've already defeated your analysis. ;)

        More seriously, the surface area isn't as large as you think, because getting a web password doesn't tell you what other services they use. Getting their password manager password does tell you that. It lets them access sites that the user didn't even use while they were under attack. The surface area of the password manager being exploited is therefore much, much larger, even if the attack surface is smaller fr

        • Yes, re-using two different passwords it better. Three is better than that. You can continue that argument until you end up with a password for each site. Then you'll probably want a password management service, unless you have perfect recall.

          You seem to be describing the "surface area" of the impact after an exploit has occurred. I was trying to describe the attack surface area the would allow an exploit in the first place. This is limited to a single site for the manager scenario - the main password si
          • " Then you'll probably want a password management service, unless you have perfect recall. "

            ... or some imagination and a little black book. ;-)

            • If you have reasonable physical security and are not a high profile target, this is ideal. I use this system.

              People wave their hands and insist a service is somehow safe, but they do it using pure assertion with no actual security analysis showing it to have lower risk. And they'll freely give out the recommendation to the general public, when actually it depends on individual user context and for many (most!) users it will decrease their security. Security by colloquialism.

          • No, often you continue the process until you get to 5 or so and now the user is writing the passwords down. On a sticky note on the monitor is bad, but writing it in inside networked application software simply magnifies the idiocy and danger of writing it on a sticky note.

    • by SirSlud ( 67381 )

      That is weapons grade dumb. The only thing this kind of attack can get is whatever passwords the duped user is entering. If they use only one, then as an attacker, all you need is that first one. Since auditing is so important to you, presumably you would also insist that you audit all the websites you're giving your password *to*. Think about it: "I don't trust the password manager, but I think it's a great idea to give the same password to a bunch of different websites who's handling of my password I *can

      • You should probably re-read his post, as you got his point bass-ackwards. He is talking about using multiple passwords, not a single Uber one.
  • Suggestions for alternative password managers that work on all the same platforms? So Linux would need to be included (meaning 1password is out), and iOS and Android as well.

    I know there's keepass for the desktop, though I seem to recall the Linux client being a choice of either using some old file format or the Windows version on WINE, and don't know how it'd conveniently sync with a mobile.

    • by Anonymous Coward

      keepassx on linux.

    • by rspeed ( 415248 )

      It's not optimal by any measure, but the Windows version of 1Password is very well-behaved via Wine.

    • by Anonymous Coward

      Keepass1 is rock solid and has native support on all platforms (but no cloud storage so you'll have to sync it yourself with dropbox or similar). The Keepass1 format is well documented enough that it is pretty much a de facto standard. Keypass2 is a .Net rewrite that doesn't work well on ANY platform, and it's new format is not widely supported.

      The only decent feature that Keepass2 added was better multi-user support, which is pointless for most users anyway. Go with Keepass1.

      • "Keypass2 is a .Net rewrite that doesn't work well on ANY platform, and it's new format is not widely supported. The only decent feature that Keepass2 added was better multi-user support, which is pointless for most users anyway. Go with Keepass1."

        As for the leading Android implementations, keepass2android is definitely better than keepassDroid. They use the same database format (kdbx). However, KPD does not black out its thumbnail in the recent-apps list, does not have the same features for auto-locking th

    • by ve3oat ( 884827 )
      How about PasswordSafe? I think it was originally designed by Bruce Schneier of Schneier on Security [] fame. His credentials are excellent.
    • by meadow ( 1495769 )
      Better solution IMHO by far is to ditch Chrome. And, as someone above wrote, its not just Lastpass that can have this issue in it, but potentially any other app as well.
    • I use Firefox built-in password manager with master password. Works on Windows, Linux, Android. I haven't tested but should also work on IOS and OSX. It's opensource, does not store unencrypted passwords in the cloud, uses OS popup for master password prompt, and prompts only during browser startup, so it'd be very suspicious if opening a page would show the prompt. Also knowing master password is not enough to compromise it remotely - you'd also need Firefox account password which shoud be different and v
    • Keep /home on luks, use a screen locker, and configure LastPass to remember the master password. It will tell you that's less secure. Yeah, for less likely attacks - spoofing predictable chrome has been around for more than a decade. x11 apps can already steal your passwords, so minimizing keyboard input of them is important until Wayland.

    • I have used RoboForm for almost 10 years and I recommend it to everyone.

      I think it is great. The iOS and Windows Phone OS clients are a little lacking but present, Windows, Mac, Linux and Android support are awesome.

  • Anyone know if there is a password manager similar to LastPass, but that you host and can run on your internal network only? My predecessor was clearly in love with lastpass and currently, every key to my IT kingdom exists on there, which I'm not entirely too fond of, especially now. It is kinda nice, but for my situation, I have absolutely no reason for it to be publicly accessible. I would love to run something like this on my own linux VM, hidden behind the safety of my firewall and my management VLAN.
    • by Anonymous Coward

      Bruce Schneier recommends (because he designed it...).

      I like it too.

    • I use PWSafe combined with an OwnCloud instance for sync. Devices have their own local copy of the database plus access to the OwnCloud copy, so I can handle even complicated cases of multiple conflicting updates from multiple devices (I usually do changes on a PC and the "master" gets uploaded to OwnCloud automatically, but devices can either change the OwnCloud copy and those changes get merged into the "master" or they can change their local copy and upload that to OwnCloud for merging into the master ma

  • Something about 'online' password managers really irks me. I've tried lastpass before but didn't really trust it and the plugins became more annoying than useful. So, I switched to keepass and just sync that file on my cloud storage. It's much easier to manage imo and I can use it both on my android and my computer for free.
    • I always assumed (based on the name only), that lastpass wasn't a database, but a {printable characters} encoded hash of the domain & master password. I'm somewhat disappointed that that isn't what they're using.

      • The problem with regenerating a hash every time you choose to log in to a particular site is that sites' minimum and maximum length and complexity for user passwords varies so widely. It would have to store the length, set of permitted characters, and set of required characters for each site.

  • I laughed when I went to his page and saw the description of the attack. We were timesharing on a B5500 at a major university and found the way to find active but un-logged in terminals and take control. When the login sequence was keyed in, we'd pop up a page identical to the proper login screen and ask for credentials. We'd write to a file, post the proper user ID but a wrong password to the system, and disconnect. The system would reply with the standard wrong password prompt, and the user would fig
    • If you have physical access to the terminal, eventually you can come up with a system to defeat almost all security.
      • Physical access was not actually (definitely) implied.

        We did similar in late 80s on unix / X-Windows boxen - the uni had set them up with a nifty graphical login because command line was so-last-year, but no security (standard in those days) on the X display connections. All you needed was a program that showed the same password prompt window and grabbed the username/pw. Even when display security was added it was bodged so any "local" process could connect to :0, and anyone could remote into any workstat

        • " but seems as an industry as a whole, we never learn and the old tricks still work" too true; I blame the PHB who want stock dividends and profits over long-term security and see IT as a money sink that the newest buzz words will magically fix.
      • This was entirely software-based. We didn't need physical access to the terminals. There was a pre-processor unit that multiplexed the terminals to a machine that was basically designed to be a batch-processing machine. This is where we were able to intercept the session.
        • Ah. I did something similar in the early 90's when my high school got their first LAN. You could control-break out of the login script and get dropped into a prompt that had read access to the login paths. Re-wrote the script to "error out" and prompt for the teachers login again and wrote it to the local was only a matter of time before we had multiple credentials. We found the software they had bought also came with an internal BBS / posting board that they never implemented...much fun was had
  • LastPass's Response (Score:5, Informative)

    by hawkeey ( 1920310 ) on Monday January 18, 2016 @12:08AM (#51320315)

    Here's the response from LastPass: []
    (I think this link should be in the main summary for balance)

    As for Google Chrome, LastPass asks that you star Issue 39511 for extension infobars outside the DOM. Specifically here's LastPass asking for improvement in Chrome January 12th, 2012: []

    I am NOT affiliated with LastPass.

  • []

    It seems they've turned on email confirmation even for users with 2FA, along with a couple of other in-browser measures.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!