LastPass Vulnerable To Extremely Simple Phishing Attack

An anonymous reader writes: Security researcher Sean Cassidy has developed a fairly trivial attack on the LastPass password management service that allows attackers an easy method for collecting the victim's master password. He developed a tool called LostPass that automates phishing attacks against LastPass, and even allows attackers to collect password vaults from the LastPass API.

after reading the details, this is significant

[raymorris]

I read through the details and this is pretty significant. It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser, but it was demonstrated that even that isn't sufficient. This looks like a significant problem for Lastpass and any others with a similar UI.

For anyone who doesn't care to read the details, here's the crux of the problem:

Lastpass prompts for the master password -within- the browser window. Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog, so users can't tell the difference. Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.

Re:after reading the details, this is significant

[reve_etrange]

It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).

LastPass's Response

[hawkeey]

Here's the response from LastPass:
https://lastpass.com/support.p...
(I think this link should be in the main summary for balance)

As for Google Chrome, LastPass asks that you star Issue 39511 for extension infobars outside the DOM. Specifically here's LastPass asking for improvement in Chrome January 12th, 2012:
https://code.google.com/p/chro...

I am NOT affiliated with LastPass.