LastPass users vulnerable to the simplest phishing attack in Chrome

    image

    One of the most popular password managers, LastPass, has experienced security issues several times. For example, the service was hacked in the summer of 2015, after which users had to change their data to access LastPass. In November last year, information security experts discovered a number of bugs in the service that allowed attackers to gain access to user credentials.

    Now it turned out that two-factor protection of the service does not help if an attacker uses a simple phishing attack. Information Security Specialist Sean Kessidy, who discovered the vulnerability, also invented a name for it - “LostPass”. In order to demonstrate the vulnerability, the specialist created a special tool.

    The thing is that LastPass withunder certain conditions , the user is notified that the session has expired and must be logged in again. If an attacker uses fake notifications on a certain kind of resources, two-factor authentication will not help the user - his account will be compromised. A fake form that looks like the usual LastPass credential form can deceive many, especially since its address will be similar to the technical url of the service.

    image

    As a result, the attacker will be able to verify the received data without problems, and in some cases, request a two-factor authentication code using the LastPass API. Interestingly, all this works only in the Chrome browser. Other browsers use a slightly different way to display service notifications.

    According to Cassidy, he has already turned to the developers of the service, and received an answer from them that this is not a vulnerability, but phishing. According to the expert, if company representatives do not change the principle of displaying notifications in Chrome, LastPass users will be at risk. In order not to lose his data, Cassidy advises using data entry on the service page. In addition, authentication through the application is a good way out.

    Also popular now: