LastPass has patched a severe vulnerability in their password manager that allowed attackers to bypass the company's two-factor authentication (2FA) system.

According to the Martin Vigo, founder of Triskel Security and the security researcher who discovered this flaw, the vulnerability can only be exploited when an attacker has already compromised the user's LastPass master password.

While this sounds like a non-issue, it is not. The main purpose why 2FA was invented to begin with was to act as a second layer of protection just for these cases, where the attacker has managed to guess or get hold of the user's password.

This means Vigo's attack could have been used to nullify LastPass 2FA altogether, stripping away this second layer of protection.

LastPass used user password to derive QR code URLs

According to Vigo's technical write-up, the entire issue at the heart of this vulnerability was the fact that LastPass was storing the 2FA secret seed [in the form of a QR code] under an URL that was derived from the user's password.

This meant that the attacker only had to compute and retrieve this QR code, stored under a local URL, and he would have been able to determine the 2FA secondary code and access the user's LastPass passwords trove.

In a bug report filed with LastPass, Vigo detailed a successful attack he performed locally:

- Attacker lures user on any website vulnerable to an XSS (cross-site scripting) bug
- Because the attacker can derive the QR code URL from the user's existing password, he uses the XSS attack to load and save the QR code image
- Attacker scans QR code with Google Authenticator, which LastPass uses for 2FA operations
- Attacker gets the 2FA code and access the user's account

LastPass fixed bug in February

According to Vigo, LastPass pushed a temporary fix on the day he reported the vulnerability at the start of February. In a blog post published yesterday, the company announced it fixed all issues surrounding this bug.

In March, Google security researcher Tavis Ormandy discovered three bugs in LastPass that allowed attackers to use malicious websites and retrieve user passwords from LastPass accounts.

Vigo had previously found several issues in LastPass in 2014 and 2015 while working as a security engineer at Salesforce.

LastPass is a very popular password manager, especially after it became free for all users and on all devices last fall.

Related Articles:

Russia Runs Incomplete, Slow, Sloppy Vulnerability Database

New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed

Adobe Patch Tuesday Is Out With Fixes for Flash Player, Acrobat, Reader, More

Unpatched Flaw Disclosed in WordPress CMS Core

You Can Bypass Authentication on HPE iLO4 Servers With 29 "A" Characters