LastPass closes a leak that allowed two-factor authentication to be disabled

Password manager LastPass has patched a vulnerability in its software that allowed it to disable two-factor authentication. The leak was discovered by researcher Martin Vigo. He reported two vulnerabilities, one of which was found to be unusable.

LastPass reports that the vulnerability has now been fixed and that users are not required to take any action. According to the company, to disable the two-factor authentication, the attacker was required to lure the victim to a malicious website. The visitor must be logged in to the password manager. LastPass claims that this would make it more difficult to exploit the vulnerability.

Researcher Vigo has published his findings in his own blog post. In it, he initially reported that he found out that LastPass stores the secret, which, along with a timestamp, is needed to create a temporary passcode in a url that is generated from the user’s password.

According to him, this makes the entire use of two-factor authentication useless, because it is supposed to protect against an attacker who already has the password. However, he made a mistake in his analysis, which means that this vulnerability is not exploitable but still shows a poor implementation, according to Vigo.

However, a second problem described by Vigo remains valid. That makes it possible to disable two-step authentication via csrf. This only requires the attacker to send the victim to a website that they control. LastPass solved this by implementing a csrf token. LastPass’ blog post still talks about bypassing two-factor authentication, probably in response to the researcher’s original report.