Researcher finds LastPass 2FA could become 1FA

Not only was LastPass using a password hash in its two-factor authentication scheme, but 2FA could be disabled by an attacker, a security researcher has found.
Written by Chris Duckett, Contributor

LastPass has resolved a number of issues with its two-factor authentication (2FA) implementation, after being alerted to the issues by Salesforce security researcher Martin Vigo.

The company said the problems are now resolved, and users do not have to take any action.

"To exploit this issue, an attacker would have needed to take several steps to bypass Google Authenticator," LastPass said in a blog post.

"First, the attacker would have had to lure a user to a nefarious website. Second, the user would have to be logged in to LastPass at the time of visiting the malicious site. This combination of factors decreases the likelihood that a user might be impacted."

According to Vigo's write-up, he discovered that Lastpass was using a hash of a user's password to generate the QR code that is used to set up 2FA on a user's device.

"Lastpass is storing the 2FA secret seed under a URL that can be derived from your password," Vigo said. "This literally beats the entire purpose of 2FA, which ... is a layer of security to prevent attackers already in possession of the password from logging in.

"To put it in perspective, imagine that you have a safe in your house were you keep your most valuable belongings. Do you think it is a good idea to have the same lock for the door and the safe? Should the door key open the safe as well?"

In combination with a cross-site request forgery (CSRF), Vigo said he was able to avoid the authentication restrictions LastPass had put around the 2FA process.

"It is also worth noting that it is not necessary for an attacker to lurk the victim into visiting his malicious website," he said. "Any XSS on sites trusted by the victim like Facebook or Gmail can be used by the attacker to add a payload to steal the QR Code and send it back to his server."

Vigo then found another, simpler hole that allow him to use a GET request to regenerate a user's 2FA seed, and by doing so, LastPass would disable a user's 2FA.

LastPass fixed the 2FA disabling issue by adding a CSRF token, and the company is looking to see if it has any other CSRF vulnerabilities. According to Vigo, the company has also added a check on the origin header for its QR code request, and replaced the straight password hash with a salted user ID-based hash.

The company applied its fix the day after Vigo informed them of the issues.

Over the past year, LastPass has had a run of outs on the security front.

In March, Google Project Zero researcher Tavis Ormandy found a remote code execution vulnerability on its Chrome extension that could allow for the proxying of untrusted messages to LastPass.

"This allows complete access to internal privileged LastPass RPC commands," Ormandy said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."

LastPass was earlier Ormandied in July 2016, when the Google researcher found bugs that allowed for a remote compromise of LastPass accounts.

"Are people really using this LastPass thing?" Ormandy said at the time.

LastPass was purchased by LogMeIn for $110 million in October 2015.

Editorial standards