The current design doesn’t allow plug-ins to place messages anywhere but within the viewport, which limits what LastPass can do. Chrome is a quite locked-down browser, and praised for it. LastPass says in its FAQ entry on Cassidy’s “LostPass” (as he dubbed it) that they’re working to break out of the viewport, though they are stymied in part by Google Chrome.
Though it could ultimately be coupled with that, such a connection dramatically decreases its potential yield of password vaults. LastPass notes that a user would have to have compromised email for that step to be hijacked, and this impersonation attack doesn’t rely on obtaining other credentials.
Before the login can complete, a receives a verification email and has to click a link in it. (Cassidy notes that it relies on the same viewport, so a malicious attacker can block that warning, too.)įinally, LastPass has beefed up how it allows logins from locations that haven’t previously been used and approved, both for single-factor (password only) and two-factor logins. It also warns users if the master password is used for any other purpose, like on another website. It now stops you and warns you before submission if it’s happening anywhere but on its site. Next, because LastPass monitors keystrokes (locally, without sending them back to its servers), it can tell when you type the master password for your account. This screenshot from Sean Cassidy’s blog post shows a spoofed LastPass login page in Chrome-the domain “” is relatively close to the real protocol, “chrome-extension.”
First off, an attacking site can’t log the user out of its system, so there’s a mismatch between an active LastPass icon in the browser and the message. LastPass says it’s added steps that will prevent this sequence and ones like it. The site uses LastPass’s API (application programmer’s interface) to query LastPass servers and access or retrieve a user’s password vault. (Cassidy registered one that might fool people, but there are billions of domains that could be registered that wouldn’t look skeevy, either.)Īt that site, a user enters their credentials in what appears to be a LastPass login, again drawn in the viewport and which looks essentially identical to the real one, which uses a non-viewport pop-down menu. If LastPass is installed, it draws a message in the viewport that looks exactly like a LastPass alert, which tells a user that their LastPass session has expired.Ī user clicks the link, is taken to another website, but one that has a legitimate-looking address.
(LastPass has a free version and is in wide use.) That site uses JavaScript to determine whether LastPass is installed.
LastPass’s browser extensions push messages into the viewport, the browser’s main display area, using the same underlying structure and style code available to webpages.Ĭassidy noted this is a problem, because of a sequence of not-improbable actions:Ī user is phished or visits a malicious site, which can be any site-even one with seemingly legitimate content, but which has a malicious script. The LastPass problem runs in parallel with this, though it has a different cause and the company has released mitigation. I imagine at least billions of messages go out each day that try to get people to click a link that takes them to a site that then attempts to snarf their login credentials or steal their identity. Browser exploits, malware, and “evil twin” hotspots that could poison local networks have been used to push fake sites to users, too.Īnd phishing remains a constant problem. The rise of secure web connections mitigated that, as browsers would warn users when an intended destination was rerouted-at least in some cases. Since the dawn of anything worth spoofing on the World Wide Web, sites have appeared that impersonated others. Since then, Last Pass has reworked remaining issues, provided a more thorough explanation to its users, and explained its future direction to better reduce this kind of spoofing attack.Īt heart, it just reemphasizes something that’s been known for years: A browser’s content portion-its viewport-can’t be trusted. He’d sorted out the details months ago, but he writes that miscommunication and delays led to LastPass not fixing all the problems before he presented his work at ShmooCon, a security event, in mid-January. About a week ago, he posted a blog entry about something he realized in using LastPass: Because of its reliance on browser-based alerts and logins on the desktop, rather than using a separate interface or native app login, it was easy to spoof. Sean Cassidy is a LastPass user and a security researcher.