LastPass Users’ Passwords May Be at Risk of Phishing Attack

A security researcher has just dropped a bombshell on LastPass: a phishing attack against the password manager could allow an attacker to steal users?EU? e-mail addresses, passwords and even their two-factor authentication codes. Ultimately, that gives criminals access to every single document or password LastPass stores.

Dubbed LostPass, the code is now available on Github, a site where 12 million people go to discover and contribute to software projects. Sean Cassidy, CTO of cloud-based security solution provider Praesido, revealed the research during a special presentation at the ShmooCon East Coast hacker conference Saturday.

?EU?LostPass works because LastPass displays messages in the browser that attackers can fake,?EU? Cassidy wrote in a blog post. ?EU?Users can't tell the difference between a fake LostPass message and the real thing because there is no difference. It's pixel-for-pixel the same notification and login screen.?EU?

How LostPass Works

Here?EU?s the backstory: LastPass displayed a message on Cassidy?EU?s browser a few months ago letting him know that his session had expired and prompting him to log in again. The only thing was he hadn?EU?t used LastPass at that time or done anything that would have forced an automatic log out.

?EU?When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification,?EU? Cassidy said. ?EU?Since LastPass has an API that can be accessed remotely, an attack materialized in my mind.?EU?

For LostPass to work, a victim has to first visit a malicious site, then the hacker has to take several steps in specific order: (1) check for LastPass and show the user an expired session notification; (2) direct the victim to the login page and encourage the individual to click on a fake banner that directs him to a hacker-controlled page that looks identical to the LastPass page; (3)...

Comments are closed.