LastPass resolved a number of issues with their two-factor authentication (2FA) implementation, after many alerts to various issues by the Salesforce security researcher, Martin Vigo.
The company said that the problems are now resolved, and users do not have to worry about anything.
“To exploit this mentioned issue, an attacker needs to take several steps to bypass the Google Authenticator,” LastPass said in their blog post.
“First, the attacker should have had to lure a user to a malicious website. Second, the user should be logged into his LastPass account at the time of visiting the fake site. The combination of factors decreases the likeliness that a user may be impacted.”
According to the Vigo’s write-up, he has found that Lastpass was using a hash of the user’s password to generate the QR code which is used to set up a 2FA on the user’s device.
“Lastpass is storing 2FA secret seed under an URL which can be derived from the user’s password,” Vigo said. “This literally beats the whole purpose of having the 2FA, which … is a layer of security to prevent the attackers who are already in the possession of password from logging in.
“To put it in a perspective, imagine that you have a locker in your house where you keep all your valuable belongings. Do you think it is a good idea to have the same lock for the door and the safe? Should the door key open the safe as well?”
“It is also worth noting that it is not necessary for an attacker to lure the victim into visiting his malicious website,” he said. “Any XSS on sites trusted by the victim like Facebook or Gmail can be used by the attacker to add a payload to steal the QR Code and send it back to his server.”