LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com)

← Back to Stories (view on slashdot.org)

LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com)

Posted by samzenpus on Sunday January 17, 2016 @01:02PM from the protect-ya-neck dept.

An anonymous reader writes: Security researcher Sean Cassidy has developed a fairly trivial attack on the LastPass password management service that allows attackers an easy method for collecting the victim's master password. He developed a tool called LostPass that automates phishing attacks against LastPass, and even allows attackers to collect password vaults from the LastPass API.

5 of 146 comments (clear)

Min score:

Reason:

Sort:

after reading the details, this is significant by raymorris · 2016-01-17 13:17 · Score: 5, Informative

I read through the details and this is pretty significant. It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser, but it was demonstrated that even that isn't sufficient. This looks like a significant problem for Lastpass and any others with a similar UI.
For anyone who doesn't care to read the details, here's the crux of the problem:
Lastpass prompts for the master password -within- the browser window. Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog, so users can't tell the difference. Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.
1. Re:after reading the details, this is significant by reve_etrange · 2016-01-17 13:34 · Score: 5, Informative
  
  It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).
  
  --
  .: Semper Absurda :.
Re:Seems like time to consider the alternatives by Duckman5 · 2016-01-17 14:18 · Score: 4, Informative

keepass is cross platform, using the same file on Linux/Win/Android/MacOS. You can store the encrypted database in a cloud-based service like dropbox and have a highly portable system for password storage on-line & off-line.
That's what I do. For added security, I have a key file that I never put online and only stored locally on my laptop/phone. That way, even if someone gets my database AND somehow intercepts my password they're still out in the cold.
KeeCloud is a good place to start. Then just pick a browser integration plugin and you're off. For android, Keepass2Android is a good choice, too. It has an integrated keyboard that will directly type the username and password into the browser (or app) so you can avoid all those clipboard stealing exploits.
LastPass's Response by hawkeey · 2016-01-17 16:08 · Score: 5, Informative

Here's the response from LastPass:
https://lastpass.com/support.p...
(I think this link should be in the main summary for balance)
As for Google Chrome, LastPass asks that you star Issue 39511 for extension infobars outside the DOM. Specifically here's LastPass asking for improvement in Chrome January 12th, 2012:
https://code.google.com/p/chro...
I am NOT affiliated with LastPass.
I wish. See the Firefox screenshot by raymorris · 2016-01-17 16:26 · Score: 3, Informative

Check out the Firefox screenshot that the researcher included. On Firefox the fake dialog still looks exactly like the legitimate dialog. It looks just like an OS window that has popped up in front of the browser window. You'd only know something was amiss if you tried to drag out to a different part of the desktop so it was no longer "in front of" (actualy within) the browser.