New Vulnerability of the LastPass Unveiled

Posted By Morgan on Feb 5, 2016 | 0 comments

Any active Internet user has many accounts on different websites. And each of them requires a username and password. Since it is impossible to keep everything in your head, a regular user usually writes them on a piece of paper. And puts it somewhere not far from the computer (we have already written why it is not recommended to do so here). An advanced user, in turn, uses password managers to store this information.

But, even the best password manager sometimes cannot prevent accounts from being hacked. Let’s recall, for example, how the world community was stirred up by the news about the vulnerability of the KeePass password manager.

Recently, another popular password manager LastPass has found itself in the center of the scandalous online chronicles. Moreover, it is not the first failure of the LastPass. It was hacked last summer, and as early as in November 2015 few bugs have been found in it again.

This time, the analyst Sean Cassidy created a tool, which he jokingly called the ‘LostPass’. This tool under the guise of the LastPass allows collecting passwords in the automatic phishing attack mode.

The essence of the LastPass vulnerability

Ironically, a ‘disservice’ is the desire of the software developers to make a communication session between the user and the Internet resource more secure. The thing is that the LastPass requires the user to re-enter the password several times during the session. This is where a loophole for the hackers hides. It turned out that at this moment it is possible to palm off a phishing page for re-authorization.

This page looks like the real one with almost no differences in the address. Once the unsuspecting user enters his email and password, all his confidential information stored in LastPass becomes available for fraudsters. The worst thing is that the hackers get not only one password but all the data the password manager stores!

So far, the LostPass operates only in the Chrome browser. But Cassidy is working hard to prove that the same tool can be made for the Firefox as well.

Of course, the LastPass developers will make changes to the code and patch up the gaps found in the safety of their product. But what should the users do now? While the protection level of password managers isn’t 100% reliable yet. And is there any guarantee that some vulnerabilities won’t pop up in the future?

The author of the tools himself recommends using the LastPass app instead of the browser extension. It deprives the hackers of the possibility to use the phishing page. But this method is quite time-consuming and inconvenient. The user needs to copy all passwords from the LastPass web page, and enter them manually.

Maybe 2FA (two-factor authentication) can protect users from the new threat? Alas, Cassidy argues that one-time passwords can also be intercepted with the help of his tool. But, apparently, the researcher means the traditional version of 2FA with OTP passwords delivered to the user via text messages or emails.

After all, there is nothing to be afraid of if to use the hardware or software tokens. They generate OTP passwords for two-factor authentication offline. Moreover, if the token supports the data signature function CWYS (Confirm What You See), it becomes even more reliable.

CWYS function allows taking into account certain parameters, characteristic for a particular transaction, when creating and verifying one-time passwords. These parameters can include the IP-address, the sum of transfer, the addressee’s name, etc. In this case, even if the hackers intercept the one-time password, they will fail to pass a server checking: the data will be wrong.

Recent events show us that the authentication methods relying on reusable passwords cannot give the user enough confidence in his data protection. But data protection by means of modern 2-factor authentication methods (tokens, CWYS, OTP 2.0) is much more reliable.