LastPass is used to store user’s password in the cloud in an encrypted vault protected by a single username and password. This vault can be protected using two-factor authentication.
A security researcher has released a tool call LostPass (available on GitHub) that allows an attacker to steal a LastPass user’s email, password, and even two-factor authentication code, giving full access to all password and documents stored in LastPass.
According to Sean Casssidy ,chief technology wonk of Seattle-based security outfit Praesidio said that,”I call this attack LostPass. LostPass works because LastPass displays messages in the browser that attackers can fake.”
“Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference.”
”It’s pixel-for-pixel the same notification and login screen.”
“Criminals could make their own phishing pages targeting the new LastPass version 4 “in less than a day”, he added.
“Unlike most phishing attacks, users won’t be on their guard because this isn’t supposed to be a secure website,” Cassidy says.
“If they have LastPass installed, show the login expired notification and log the user out of LastPass [which] will make it appear to the user that they are truly logged out.
“Once the victim clicks on the fake banner, direct them to an attacker-controlled login page that looks identical to the LastPass one.”
Attackers who get into accounts can add themselves as an emergency contact to ensure persistence, he says.
LastPass said email verification will all but neuter the attacks unless email accounts are also compromised.
“The verification process significantly reduces the threat of this phishing attack,” the company says in a post to which it is directing concerned social media users.
“The attacker would need to gain access to the user’s email account as well, which could also be mitigated by two-factor authentication for their email account.”