LastPass Vulnerable To Extremely Simple Phishing Attack

An anonymous reader writes: Security researcher Sean Cassidy has developed a fairly trivial attack on the LastPass password management service that allows attackers an easy method for collecting the victim's master password. He developed a tool called LostPass that automates phishing attacks against LastPass, and even allows attackers to collect password vaults from the LastPass API.

not exactly, see Firefox screenshot

[raymorris]

The blog entry in which the guy describes the attack has a screenshot of the attack in Firefox. The screenshot also includes a legitimate Lastpass dialog, showing that the fake looks -exactly- like the real Lastpass dialog.

The thing is, the browser can draw something that looks exactly the same as an OS dialog, and it can be dragged around just like the OS dialog. The difference shows up only if you minimize the browser, or already have the browser window small and you then try to drag "the Lastpass" dialog far enough that it's no longer "in front of" the browser window.