LastPass fixed a serious vulnerability in the password manager LastPass, allowing to bypass the mechanism of two-factor authentication. According to the discoverer of the vulnerability of the researcher Martin Vigo (Martin Vigo), it can be exploited only by hacking into the user's master password.

Do not underestimate the problem. Two-factor authentication is the second level of protection in case the attackers somehow managed to seize the user's master password. The Vigo vulnerability reduces the effectiveness of two-factor authentication in LastPass to zero, making it completely useless.

The problem was that the LastPass private cryptographic keys in the form of a QR code were stored at a URL created on the basis of the password. The attacker, who knows this password, just need to calculate the QR code stored locally, get the second two-factor authentication code and open another's password manager.

Vigo described the attack as follows. An attacker using social engineering lures a user to a site with an XSS vulnerability.

Then he receives the QR-code on the local URL, created based on the password known to him, and with the help of XSS-attack loads and saves his image. The attacker then scans the QR code using the Google Authenticator application, used by LastPass for two-factor authentication, receives the second code and can open the password manager.

Vigo told the manufacturer about the problem in February of this year, and on the same day a temporary correction was issued. On April 20, the vulnerability was completely corrected.