More LastPass flaws: researcher pokes holes in 2FA

Recently we’ve been writing about LastPass more than seems healthy.

March saw two rounds of serious flaws made public by Google’s Tavis Ormandy (quickly fixed), which seemed like a lot for a single week. Days ago, news emerged of a new issue (also fixed) in the company’s two-factor/two-step authentication (2FA) security.

To coin a phrase, all serious flaws are serious – but some are more serious than others.

This one matters for two reasons, only one of which will sound flippant: it wasn’t discovered by Tavis Ormandy, who at times has seemed to be writing a novella on flaw-hunting with the company’s name on it. That’s fine – researching vulnerabilities is his day job, after all.

Another researcher with a taste for LastPass, researcher Martin Vigo, uncovered the latest issue, and it’s the 2FA bit of the story that explains the angst.

Two-factor authentication (a term that also refers to more convenient but less secure two-step verification) matters because it is the crown jewels of everyday security, especially for password managers such as LastPass.

It represents a safety blanket that stops an attacker gaining access to the vault even if they get hold of the master password. While it’s possible to use LastPass without 2FA enabled it’s not recommended, indeed the wide variety of two-factor and two-step options is one of the service’s best features.

The flaws are explained by Vigo in a slightly confusing way (one compromise was subsequently shown not to be exploitable) but cover overlapping weaknesses that might under specific circumstances allow 2FA to be bypassed when using Google’s Authenticator and QR codes.

The detail here is less relevant than the fact that Vigo found chinks in the armour of something highly sensitive to even the tiniest compromise.

LastPass’s response was to point out the conditions necessary for a successful attack:

First, the attacker would have had to lure a user to a nefarious website.

True, but hardly an impossible undertaking for someone already armed with the user’s master password.

Second, the user would have to be logged in to LastPass at the time of visiting the malicious site. This combination of factors decreases the likelihood that a user might be impacted.

Again a user being logged into LastPass at the time of an attack is entirely possible.

Significantly, LastPass quickly stopped using the login hash (used to authenticate the master password without having to know it) to retrieve Authenticator’s QR codes, and now sets a Cross-Site Request Forgery (CSRF) token to plug another weakness.

We still don’t know why LastPass has been plagued by so many issues in such a short space of time – perhaps it’s just a big-name target worth researching – but some of these weaknesses appear to be in its design, the result of decisions to do things in a certain way, probably some years in the past.

Vigo has been paid a bug bounty and, for now at least, LastPass’s 2FA design is back in equilibrium. It’s just the nerves of its users that are a bit shot.