LastPass has patched a severe vulnerability in their password manager that allowed attackers to bypass the company's two-factor authentication (2FA) system.
According to the Martin Vigo, founder of Triskel Security and the security researcher who discovered this flaw, the vulnerability can only be exploited when an attacker has already compromised the user's LastPass master password.
While this sounds like a non-issue, it is not. The main purpose why 2FA was invented to begin with was to act as a second layer of protection just for these cases, where the attacker has managed to guess or get hold of the user's password.
This means Vigo's attack could have been used to nullify LastPass 2FA altogether, stripping away this second layer of protection.
According to Vigo's technical write-up, the entire issue at the heart of this vulnerability was the fact that LastPass was storing the 2FA secret seed [in the form of a QR code] under an URL that was derived from the user's password.
This meant that the attacker only had to compute and retrieve this QR code, stored under a local URL, and he would have been able to determine the 2FA secondary code and access the user's LastPass passwords trove.
In a bug report filed with LastPass, Vigo detailed a successful attack he performed locally:
According to Vigo, LastPass pushed a temporary fix on the day he reported the vulnerability at the start of February. In a blog post published yesterday, the company announced it fixed all issues surrounding this bug.
In March, Google security researcher Tavis Ormandy discovered three bugs in LastPass that allowed attackers to use malicious websites and retrieve user passwords from LastPass accounts.
LastPass is a very popular password manager, especially after it became free for all users and on all devices last fall.