Bypassing LastPass’s “Advanced” YubiKey MFA: A MITM Phishing Attack

Pepe Berba
May 29 · 12 min read
Image for post
Image for postImage for post

This is a medium-sized extract from a longer blog post of mine. I go a little more in-depth on the difference between U2F and OTP and how LastPass decrypts your vault, you can see the full blog post.

(Un)fortunately, this is NOT a MITM attack on U2F. LastPass doesn’t support U2F so this is disappointingly simple. It uses Yubico OTP, which we know to be phishable.

In this article, I show mainly how to deploy a phishing attack on LastPass users, even when they are protected with Yubikey physical keys. This is to remind people that YubiKey is not necessarily U2F.

Use security keys to prevent phishing

Image for post
Image for postImage for post
Google’s transparency report [1]

In recent years, phishing has proven to be one of the most effective ways of hacking people. Instead of using a fancy new exploit to steal a victim’s credentials, the hacker just asks the victims to hand their credentials over.

How do we combat this? One answer is “use security keys!”

“We have had no reported or confirmed account takeovers since implementing security keys at Google” [2]

Below we see LastPass endorsing the use of YubiKeys. In the diagram, we see that YubiKey is more secure, easy to use, and not phishable.

Image for post
Image for postImage for post

With that said, I recently got myself some Yubikeys. To use this “Advanced Multi-factor Option” with Lastpass, I needed a premium account. Being a long time user of Lastpass, I didn’t think twice and paid to upgrade to premium.

Within minutes, I felt shortchanged. It quickly became obvious that using a Yubikey did not make my LastPass vault any more secure against phishing.

Why? Lastpass’s integration with the YubiKey uses Yubico OTP and not U2F.

Is this important and is U2F really THAT more secure?

Let me show you why this is important.

How to deploy phishing campaign

Let’s take a red team mindset to appreciate why phishing is so effective and how easy it is for us to fall for it. We use a reverse proxy to do a “man-in-the-middle” (MITM) attack to steal the credentials and bypass 2 Factor Authentication (2FA).

Here’s an overview of how a MITM attack works.

Image for post
Image for postImage for post
We’re nice people. We will log-in LastPass for you 😊

Of course, phishing using MITM applies to many other sites. What makes LastPass unique is that it is the only site that I personally use that is still vulnerable to MITM even when using a Yubikey.

Information Gathering

Let’s say you have to target an individual or a company. You first try to get a small collection of email addresses from searching through LinkedIn, Github, Twitter, blogs, and other OSINT sources.

Now with these target emails, you explore the options available for your attack. The LastPass vault is a gold mine of credentials since one phishing attack can result in many credentials. Let’s see if these emails are possible LastPass users.

Image for post
Image for postImage for post
google@gmail.com uses Lastpass?

Since the registration processes would check the availability of an email address, we can use it to gather more intel. If the email address is taken, then it is likely that the owner uses LastPass.

Image for post
Image for postImage for post

If you want to enumerate a small list of potential targets, then you can use this simple API which returns ok/no.

GET https://lastpass.com/create_account.php?check=avail&skipcontent=1&mistype=1&username=google%40gmail.com

For targeted attacks, this is an effective way to check whether or not you can be phished on LastPass. Broader random attacks would be unlikely if the availability endpoint is rate limited.

Getting the right domain

Having a legitimate-looking domain might make it easier to trick the victim. There are a lot of ways that we can gain a legitimate-looking domain. Maybe slight modifications of the spelling or explore other TLDs. We chose lastpass.com.es

Image for post
Image for postImage for post
As of 2020/05/25

Here are other examples of possible phishing domains for LastPass.

Image for post
Image for postImage for post
As of 2020/05/25

These are domains that are affordable for a red team and individual hackers.

I hope you realize that in cases such as this one, a domain like lastpass.com.es is as suspicious as lastpaazz.com and lastpass.club.

Setting up the servers

To set up our phishing site I’ve prepared a fork of evilginx2 [4], which has some additional logic to steal the credentials from LastPass.

This is a golang application, so you would need to install golang and run the following commands:

It is surprising how mature the phishing tools are. The development of this only took around just a day. It is easy to set up phishing sites for your bank, or company website, complete with domain and SSL.

Image for post
Image for postImage for post

You can set this up on your favorite cloud hosting provider. After setting up the binaries of evilginx2. You run it and then configure the LastPass phishlet.

# sudo ./bin/evilginx -p ./phishlets/ -developer> config ip 127.0.0.1
> config domain lastpass.com.es
> phishlets hostname lastpass lastpass.com.es
> phishlets enable lastpass

And then you create the link you want to bait them. The redirect_url is the page you want the victim to end up once you get all the necessary credentials.

> lures create lastpass
> lures edit redirect_url 0 https://www.youtube.com/watch?v=dQw4w9WgXcQ
> lures get-url 0
Image for post
Image for postImage for post

In our case, we want our victim to go https://lastpass.com.es/QBFlGqJy

Note: These instructions are meant to test this locally. For this to work locally you might need to add the following to /etc/hosts

127.0.0.1 lastpass.com.es
127.0.0.1 lp-cdn.lastpass.com.es
127.0.0.1 www.lastpass.com.es

Sending the Phishing Email

Assuming that you use an existing phishlet, then we have to make a phishing email. This is really where a lot of the work comes in. You have to somehow trick the user into clicking. Crafting a good phishing email is an art.

Image for post
Image for postImage for post

In this case, we say that we have revoked trusted devices so that hopefully, he won’t be surprised just in case he gets alerts of new log-ins.

Waiting for the credentials

When the victim clicks on the link, he will be redirected to the fake LastPass login.

Image for post
Image for postImage for post
Notice lastpass.com.es

And when LastPass requires 2FA, then the fake website will ask the victim to provide the second factor.

Image for post
Image for postImage for post

As previous work [4] has mentioned, the victim will likely have to verify with their email because the logon activity is new. However, this might look less suspicious if we have already primed the victims to expect this by saying we’ve “revoked trusted devices”.

Image for post
Image for postImage for post
Screenshot from Versprite’s article [3]

Once the session is trusted, the victim’s browser will start to download the encrypted vault. We steal this using the proxy along with the username and password of the victim.

Image for post
Image for postImage for post

Afterward, the victim will be redirected a some chosen site. In this case, the victim will be redirected to your chosen page.

Meanwhile, we have all that we need to get all the victim’s credentials.

Decrypting the vault

To decrypt the LastPass Vault, you would need 3 main ingredients:

  • LastPass Username
  • LastPass Password
  • Encrypted Vault
Image for post
Image for postImage for post

With a MITM, we can steal the victim’s username and password, and once the session is trusted after OTP from the YubiKey, we can download the encrypted vault.

The original intention of the evilginx2 is to hijack the session. But I’ve found that it is easier to just dump the credentials in the vault. In theory, the proxy can get all necessary information to take takeover of the account.

In the project, I’ve provided a script scripts/lastpass-python/dump_lastpass.py This parses the evilginx2 DB and decrypts the credentials. The location of the DB depends on where the config file is. In my case it was /var/root/.evilginx/data.db

Image for post
Image for postImage for post

This creates two files, one for credentials of the LastPass accounts, and the other is the credentials found in the vaults. You have everything in the vault, name, folder, username, password, URL, and secure notes associated with the item.

Image for post
Image for postImage for post
creds-dump.csv

You can easily leverage this to try to take control of as much of the accounts that you can. To maximize your impact, you can write a script to automatically check if there are recovery codes in the notes. With the passwords and the recovery codes, you will have full control of their accounts.

Image for post
Image for postImage for post
Should we put all our eggs in one basket?

Quick Notes on Phishing

Again, this problem is not specific to LastPass. You can be phished on almost any site you use. Some of them would have fewer protections than LastPass. However, among the main password managers, I think LastPass is the only one who still doesn’t support U2F.

How do we detect a phishing email?

It is trivial for an attacker to copy the design of an email. In our example, you might be able to detect it using the source domain. Although sometimes even the domain can be spoofed if not configured properly.

Aside from the domain, the actual content is the only “fishy” thing.

Image for post
Image for postImage for post

As for the phishing website itself. Gone are the days where phishing websites do not have SSL certificates [6]. The only thing that would give it away is the domain. Because of our MITM proxy, what the victim sees is the exact clone of the actual site. There would be no visual differences and it is practically undetectable in the short term.

Image for post
Image for postImage for post

What are some ways you can protect yourself at this point?

If you use your password manager’s browser extension, it will not give you the password because it doesn’t recognize the domain.

The password manager looks solely at the domain of the site and doesn’t care whether or not it looks like FB, Twitter, Github, or Google. For example, github.com not the same as giithub.com. So if you are at giithub.com the password manager won’t give any credentials to give you.

Image for post
Image for postImage for post
Why doesn’t my password manager show my Github credentials?!?! Is it broken?

The special case for this would be your password manager yourself! It is one of the only sites that I manually input my password. So it is still a prime target for phishing.

How can this happen?

“I thought if we use security keys we can prevent phishing?”

That is only true if we are using U2F or some sort of challenge-response protocol. Unfortunately, as we’ve previously mentioned, LastPass’s integration with Yubikey is using the Yubico OTP.

Image for post
Image for postImage for post
Works with Yubikey: LastPass [10]

The difference between Yubico OTP and U2F is subtle. The experience of each one is deceivingly similar.

You are given a prompt, you insert your Yubikey, and you press the button. Now you’re in!

Image for post
Image for postImage for post
“Insert your key and touch it”

YubiKey ≠ U2F

Why did I think that LastPass uses U2F? I think it boils down to naively associating YubiKey to security keys. But as I have learned, just because I’m using a YubiKey, doesn’t mean it’s U2F.

It doesn’t help that there were pages like this.

Image for post
Image for postImage for post

The diagram suggests that using Yubikeys with Lastpass makes you less “phishable” and more secure, which is only true when using U2F.

If we update the page to be more accurate we should have something like.

Image for post
Image for postImage for post
“Corrected” diagram

Distinguishing between U2F and Yubico OTP makes it clear that the OTP is phishable. This is something we just demonstrated.

Here is another page [5] which misled me:

Image for post
Image for postImage for post
Immune to MITM? What am I missing?

Technically, this is true when using U2F. But considering that LastPass doesn’t support security keys, I think that statement is misplaced.

When I looked at some articles online, I see that I’m not alone with incorrectly assuming that LastPass supports U2F. Here are some articles that might have gotten it wrong: [7], [8], and [9].

Image for post
Image for postImage for post
Image for post
Image for postImage for post

In the article below, it didn’t mention explicitly that LastPass supports U2F, but the association is.

Image for post
Image for postImage for post

It’s was surprising to find out that LastPass didn’t support U2F.

“If there’s one area where you’d expect U2F technology to be encouraged, it’s among password managers.” [7]

For those more experienced, this may have all been really obvious to you, but for the others, I hope you can learn from my experience. Simply looking at a table like this is misleading.

Image for post
Image for postImage for post
https://twofactorauth.org/

The “Hardware Token” can refer to both OTP and U2F. You have to took specifically whether or not it is U2F (or protocols).

Image for post
Image for postImage for post
https://www.dongleauth.info/

Moving out of LastPass

Less than 24 hours of paying for a LastPass premium account, I’m moving out.

Given the current lack of U2F support, the lack of concrete plans to support U2F, and the sketchy plaintext URLs [12], I’m done with LastPass. I don’t know why I have stayed with it for so long.

Now that I really think about it, my ideal password manager should have the following properties:

  1. supports U2F for multifactor authentication to prevent phishing
  2. open-sourced and 3rd-part audited [11]
  3. Is self-hosted on my own servers

I’m currently looking into Bitwarden. Maybe self-hosted. If you have suggestions or comments on what password manager to use, I’d appreciate it.

If you want more details on the differences between U2F and OTP and how LastPass decrypts your vault, you check out the full blog post.

U2F and Security Keys

Image for post
Image for postImage for post
Image for post
Image for postImage for post

How LastPass decrypts your vault

Image for post
Image for postImage for post

References

[1] Google Transparency Report

[2] Krebs on Security, “Google: Security Keys Neutralized Employee Phishing (2018)”

[3] Versprite, Utilizing Reverse Proxies to Inject Malicious Code & Extract Sensitive Information.

[4] https://github.com/kgretzky/evilginx2

[5] Lastpass Help, Use YubiKey Multifactor Authentication

[6] Kerbs on Security, Phishers Are Upping Their Game. So Should You.

[7] John Leyden, PortSwigger The Daily Swig, U2F nowhere near ready for prime time

[8] Josie Colt, Wired, Simplify and Secure Your Online Logins With a YubiKey

[9] ZDNet, Best security keys in 2020

[10] Yubico, LastPass Premium and Families

[11] Bitwarden Completes Third-party Security Audit

[12] PSA: LastPass Does Not Encrypt Everything In Your Vault

Photo by Ethan Sexton on Unsplash

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Pepe Berba

Written by

Stats, security, and crypto | ML at Thinking Machines | GMON, CCSK | Used to work in a SOC and now taking up my masters in Data Science

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Pepe Berba

Written by

Stats, security, and crypto | ML at Thinking Machines | GMON, CCSK | Used to work in a SOC and now taking up my masters in Data Science

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew