Nowadays, one of the security measures that should not be missing in our online accounts is double authentication. Its a security measure that allows us, in the event that someone gets their password, can not log in if they do not have the corresponding access code, a randomly generated code that changes every 30 seconds. However, it is possible that not all dual authentication implementations are equally secure, and the case of LastPass, it is quite the opposite.
Most 2FA codes are generated from a seed combined with a time stamp, making it practically impossible to figure out the code unless there is a failure in the 2FA implementation itself or there are protocol design flaws and such flaws are committed by LastPass.
Martin Vigo, a security expert, has discovered a design flaw in LastPass’s dual-authentication system that can make this security layer totally ineffective. This design error appears when analyzing the URL through which the QR code is provided to the user, and in this direction, the hash of the seed used for the generation of the codes is easily found.
As we have explained, the purpose of double authentication is that if someone has our password they can not log in to our account because they do not have, nor can generate, this random code. However, within the URL through which LastPass facilitates the QR is included this seed that, although it is codified, it is possible to extract it if we already have the password of access to the account.
At first, in order to recover the QR code it is necessary that we are authenticated in the platform, at least in theory. The LastPass platform is also vulnerable to a type of computer attack called “Cross-Site Request Forgery (CSRF)” through which it is possible to force the victim, who is authenticated, to make the request for recovery by us, either through Social Engineering as well as through XSS attacks from trusted websites.
In addition to using such targeted attacks to access a user’s entire password database, the QR code URL can also be retrieved by many other methods, such as from a browser history, by capturing network packets and even filtering from the server cache or proxy.
How can I protect my LastPass account
Although the ruling is real, the truth is that it is very complicated to exploit as we have explained, so, roughly speaking, we have nothing to worry about. But the vulnerability really exists and, if we consider that we are talking about a company to which we have absolutely provided all our passwords, the truth is that it is a matter to worry.
LastPass, for its part, has admitted the security bug and is already working on a solution, which can come by changing the type of hash by a more secure one that prevents even if they have the password or simply changing the way the seed is generated without using the CSRF token.