On high alert
LastPass, one of the more popular password managers out there, has a new security measure in place to protect user accounts in the event that they’ve been compromised by a phishing attack.
Like other password managers, LastPass allows users to store multiple login details for various sites and services, which they can then access using a single master password. It’s not only convenient, but also allows users to create more complex passwords than they might otherwise use, since they only have to remember a single login.
However, LastPass recently came under fire when Sean Cassidy, a security researcher at Praesidio, stated in a blog post how easy it would be for a hacker to “steal a LastPass user’s email, password, and even two-factor authorization code, giving full access to all passwords and documents stored in LastPass.”
What’s ultimately at issue is the LastPass pop-up that appears in browsers and how easy it is to spoof. According to Cassidy, it’s nigh impossible to tell the difference between the real deal and a fake one because “pixel-for-pixel” it’s the same notification and login screen.
“A few months ago,LastPass displayed a message on my browser that my session had expired and I needed to log in again. I hadn’t used LastPass in a few hours, and hadn’t done anything that would have caused me to be logged out. When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification,” Cassidy explains.
“Any malicious website could have drawn that notification. Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well,” Cassidy added.
His spoofing code, which he calls LostPass, is available at GitHub. LastPass is aware of the issue and is taking measures to beef up its security.
“We did work directly with Sean Cassidy, and can confirm this is a phishing attack, not a vulnerability in LastPass,” a company spokeswoman told FastCompany. “However, we’ve released an update that will prevent a user from being logged out by the phishing tool, thereby mitigating the risk of the phishing attack. In addition, LastPass has a built-in security alert to let you know when you’ve entered your master password into a non-LastPass web form.”
One of the security measures LastPass recently added was to start sending an email confirmation to all users when it detects a login attempt from a new IP/device. Previously those alerts weren’t sent to users with two-factor authentication enabled, but now they are.