LastPass Users Vulnerable to Devastating Phishing Attack

[ClockWatcher]

- Inside LastPass, you have the option to turn off all notifications in the browser bar, thus if you turn them off (uncheck them all under preferences), and something pops as a notification, you know it's bogus.

Thank you for posting this option. I have been using LastPass for the last 5 to 6 years and like it very much. I had planned on only using the button on my browser, but now that I have turned off all of the notifications, I don't even need to be tempted to click on anything.

.

 

[Alan]

Thank you for posting this option. I have been using LastPass for the last 5 to 6 years and like it very much. I had planned on only using the button on my browser, but now that I have turned off all of the notifications, I don't even need to be tempted to click on anything.

.

I agree, it was great advice and only a small inconvenience to the user for added security.

 

[Lsbcal]

Yes, I believe this is correct, you have to add new sites manually. The convenience of that strip plays into the hackers' hands as it can apparently be "spoofed".

Generally the strip appears only after one is logging out of a new site. So it would seem to me that the timing indicates it is not a spoof. But that is maybe a small quibble and I guess I have to reluctantly agree that the best thing is manually setting up a new login.

Also sometimes that green strip has not worked for me or has worked in an incorrect fashion on some sites. So I have to correct the entry manually anyway.

 

[Lsbcal]

Since we are talking about Lastpass, I want to mention one thing. I've set up my Lastpass so that if I want to see the password for an entry, I have to re-enter my Lastpass login. This is because should someone be able to see my Lastpass open vault, all the passwords won't be visible. For a phone with a fingerprint reader, this is easy to live with.

To do this: under Alerts in Advanced Settings, in "Re-prompt for your LastPass master password before you:" check the box for "Access a Site's password"

 

[Alan]

Since we are talking about Lastpass, I want to mention one thing. I've set up my Lastpass so that if I want to see the password for an entry, I have to re-enter my Lastpass login. This is because should someone be able to see my Lastpass open vault, all the passwords won't be visible. For a phone with a fingerprint reader, this is easy to live with.

To do this: under Alerts in Advanced Settings, in "Re-prompt for your LastPass master password before you:" check the box for "Access a Site's password"

Good advice. This is something I have done from the start. I've only just disabled the in-browser window as a result of this thread.

 

[tulak]

Great advice on this thread. Limiting show password is a good idea. I'm glad it was mentioned.

I've also disabled notifications and I'm not going to miss it one bit. A lot of sites that I visited where I already had a username/password would cause Lastpass to post a notification. I ignore it, but it's always annoyed me (and I've been too lazy to figure out how to get rid of it). Now I have the perfect solution: disable notifications completely.

 

[tulak]

Another security feature I've used since day one is to limit from what country my account can be accessed. It's always set for the US and when I travel, I enable countries that I'll be visiting and disable them when I get back. It probably isn't a lot of protection, but I figure everything helps.

 

[Lsbcal]

Good idea. I have it set to US too. No need to give those Eastern European hackers any advantages.

 

[Chuckanut]

Another security feature I've used since day one is to limit from what country my account can be accessed. It's always set for the US and when I travel, I enable countries that I'll be visiting and disable them when I get back. It probably isn't a lot of protection, but I figure everything helps.

+1

I do the same thing. Given that many of these criminals operate from overseas, this makes perfect sense.

 

[Alan]

Another security feature I've used since day one is to limit from what country my account can be accessed. It's always set for the US and when I travel, I enable countries that I'll be visiting and disable them when I get back. It probably isn't a lot of protection, but I figure everything helps.

I also do this. Nice feature.

 

[tulak]

+1

I do the same thing. Given that many of these criminals operate from overseas, this makes perfect sense.

True, but it's pretty easy to go through a VPN. I'm sure the people doing this are technical enough to figure that out, so the added protection is most likely limited.

 

[Alan]

True, but it's pretty easy to go through a VPN. I'm sure the people doing this are technical enough to figure that out, so the added protection is most likely limited.

True, but every little helps.

When we go to the UK and Europe in April it will be for 6 months so I'll turn off access from US ip addresses while we are over there.

 

[Lsbcal]

True, but every little helps.

When we go to the UK and Europe in April it will be for 6 months so I'll turn off access from US ip addresses while we are over there.

Quick question for you or anyone who has been in Europe for an extended period. We were in Italy in September and my Nexus 7 tablet went a little wonky. It did a system update which I did not want but went through anyway while there possibly because I did not cancel the notification. In the future I would cancel any such notification until home. When I got home it was still acting up even with a patient Google engineer's assistance. So did a factory reset and reinstall. Actually the factory reset helped a bit in other ways but it was a pain to go through all this.

Pretty much stayed off wifi with the Nexus 5 phone and it had no problems.

Anyone have problems after using various hotel wifi in Europe?

 

[Chuckanut]

True, but it's pretty easy to go through a VPN. I'm sure the people doing this are technical enough to figure that out, so the added protection is most likely limited.

Added protection is usually limited. Nothing new there.

A determined professional thief can get into my house no matter how well I lock it up. That doesn't mean I leave the front door unlocked and the back windows open for any lesser skilled criminal to enter my house.

Like my old grandpappy used to say "Never let the perfect become the enemy of the good."

 

[Alan]

Quick question for you or anyone who has been in Europe for an extended period. We were in Italy in September and my Nexus 7 tablet went a little wonky. It did a system update which I did not want but went through anyway while there possibly because I did not cancel the notification. In the future I would cancel any such notification until home. When I got home it was still acting up even with a patient Google engineer's assistance. So did a factory reset and reinstall. Actually the factory reset helped a bit in other ways but it was a pain to go through all this.

Pretty much stayed off wifi with the Nexus 5 phone and it had no problems.

Anyone have problems after using various hotel wifi in Europe?

In 2013 we spent 5 months in Europe, 9 different countries, and used the wifi in hotels and cafes a lot. Never had a problem with with my iPad, but I don't believe I did an O/S upgrade in that time.

 

[gauss]

After reading this, I checked out Sean Cassidy's page and then dug a little bit more into the preferences and tools on LastPass. There are a few other recommendations I gleaned from the various places that weren't specifically mentioned:


- Only access and/or log in to LastPass using the button on your browser, not through a website.

This is exactly the opposite of my initial reaction after reading this thread.

My preference would be to only login from the Lastpass web site (after verifying the https security certificate is good.) Isn't that the whole point behind secure web sites -- that you can trust they are who they say they are and not a man in the middle attack?

If I login via some other box that pops up, I am not sure who is serving up the box.

If someone can describe why using the plugin button on the browser bar to login vs using the field on the web page itself is preferable I may reconsider. But other then that I am sticking with https. It has been quite reliable over the years, other than the Heartbleed bug which was a failure of the openssl implementation.

-gauss

 

[Lsbcal]

...
My preference would be to only login from the Lastpass web site (after verifying the https security certificate is good.) Isn't that the whole point behind secure web sites -- that you can trust they are who they say they are and not a man in the middle attack?...

The little button on the Firefox toolbar is there because I installed the Lastpass extension. I'm not sure it is easy to hack ... or is it?

What one sees is:
1) The button is black
2) Clicking on the button brings up a Lastpass popup with your email filled in
3) Enter the master password and the button turns red. You are ready to use your passwords.

I'm not sure what part of this process is hackable. Just thought I'd summarize what you think is not a good thing to do.

I guess what you are saying is, go to the bookmarked Lastpass site and login from that URL by clicking the Login. First make sure that the site URL contains something like: the little green lock and words like "Lastpass: (Maravosol, Inc) (US) https:/Lastpass.com"

 

[nash031]

This is exactly the opposite of my initial reaction after reading this thread.

My preference would be to only login from the Lastpass web site (after verifying the https security certificate is good.) Isn't that the whole point behind secure web sites -- that you can trust they are who they say they are and not a man in the middle attack?

If I login via some other box that pops up, I am not sure who is serving up the box.

If someone can describe why using the plugin button on the browser bar to login vs using the field on the web page itself is preferable I may reconsider. But other then that I am sticking with https. It has been quite reliable over the years, other than the Heartbleed bug which was a failure of the openssl implementation.

-gauss

I guess I should edit the point to read: "Only access LastPass either through the button on your browser (via the extension) -OR- directly through the website (type in the address) - NOT VIA A LINK."

Certainly, if you're typing https://lastpass.com into your browser, you're safe. Lostpass relies on either clicking a bogus login link in your notifications bar (turning off notifications fixes this since any notification you get is bogus) or another link which takes you to a bogus login page (standard phishing/spearphishing).

If you never login via a website, and only login via the browser extension button WHICH YOU CLICKED (not some popup that just happened), you're safe. The only circumstance where this wouldn't be true is if you installed a bogus extension not directly from LastPass, which seems unlikely and isn't exactly a new vulnerability. If you don't trust browser extensions at all, then that's a different matter altogether.

So, while I would agree that using the website directly is safe, I don't think you're correct that using the browser extension directly is unsafe, at least not any more unsafe than it was before "Lostpass".

 

[sengsational]

As scary as this phishing attack is, I do think that most of us would realize something was amiss when the master password dialog appeared on a blank page and not on top of the page we were on (see image).

If someone can describe why using the plugin button on the browser bar to login vs using the field on the web page itself is preferable I may reconsider. But other then that I am sticking with https. It has been quite reliable over the years, other than the Heartbleed bug which was a failure of the openssl implementation.

The reason why clicking on the LastPass icon in the brower's tool bar is safe is that there is no vulnerability there. I'm sure hackers have tried, but they have not succeeded in getting their code to run when you click on the LastPass add-in button. Contrast that with clicking anything in the view port. THAT is where the phishing problem is.

Maybe I don't understand the problem here but it seems there is a simple solution for Lastpass users:
Train yourself to never click on a link that is presented to you or anything like a presentation in a browser window.

Correct. If you don't want to get phished, follow Rule#1: only type your master password only if you specifically asked for the login dialog from the add-in button. Problem solved.

Tricking and fooling people into revealing sensitive information has nothing to do with whether or not it is in the cloud.

Since the encrypted vault is in the cloud, it makes the master password more valuable to a hacker than, say, a vault on a thumb drive.

Yes, I believe this is correct, you have to add new sites manually. The convenience of that strip plays into the hackers' hands as it can apparently be "spoofed".

Generally the strip appears only after one is logging out of a new site. So it would seem to me that the timing indicates it is not a spoof. But that is maybe a small quibble and I guess I have to reluctantly agree that the best thing is manually setting up a new login.

You don't need to hamstring LastPass! True, a hacker could put a green bar up. The worst they could do is not put that site's password in the vault. Under your scenario, they've already got that site's password. Follow Rule#1 and go on with life as-is.

You can limit IP by country, shut off notifications, etc, if it makes you feel better, but if you think back to the original phishing problem, and really understand it, you'll realize it's not necessary to change the configuration at all. Just follow Rule#1.

 

[gauss]

Thanks nash031,

I think we are basically in agreement. My preference would be to use the secure web site just because of the long history of security via https (ie SSL/TLS protocol that dates back to the days of Netscape).

The browser extension may also be safe if you trust that LastPass did a good job in the programming of it.

I just wanted to make sure that I didn't miss something when the original advice looked like it was to not use the secure web site to login.

I think we are good here. Again thanks for the clarification.

-gauss

 

[nash031]

As scary as this phishing attack is, I do think that most of us would realize something was amiss when the master password dialog appeared on a blank page and not on top of the page we were on (see image).


The reason why clicking on the LastPass icon in the brower's tool bar is safe is that there is no vulnerability there. I'm sure hackers have tried, but they have not succeeded in getting their code to run when you click on the LastPass add-in button. Contrast that with clicking anything in the view port. THAT is where the phishing problem is.

Correct. If you don't want to get phished, follow Rule#1: only type your master password only if you specifically asked for the login dialog from the add-in button. Problem solved.

Since the encrypted vault is in the cloud, it makes the master password more valuable to a hacker than, say, a vault on a thumb drive.


You don't need to hamstring LastPass! True, a hacker could put a green bar up. The worst they could do is not put that site's password in the vault. Under your scenario, they've already got that site's password. Follow Rule#1 and go on with life as-is.

You can limit IP by country, shut off notifications, etc, if it makes you feel better, but if you think back to the original phishing problem, and really understand it, you'll realize it's not necessary to change the configuration at all. Just follow Rule#1.

I think this phishing scam differs based on browser, as the originator pushed it on Chrome and said Firefox would be more difficult to spoof. Not sure about the blank page and how that interacts.

 

[sengsational]

I think this phishing scam differs based on browser, as the originator pushed it on Chrome and said Firefox would be more difficult to spoof. Not sure about the blank page and how that interacts.

If this thing is so easy to host, I'm surprised there isn't a site that does it without the password field, just to demonstrate exactly how it would look (but with declarations that it's a demo of a phishing attack for learning purposes).

 

[target2019]

If this thing is so easy to host, I'm surprised there isn't a site that does it without the password field, just to demonstrate exactly how it would look (but with declarations that it's a demo of a phishing attack for learning purposes).

Early in the thread is a link to the discoverer Web page. There is a description of how it was done, with screen shots. From what I recall, he had a functioning exploit set up, but took it down once the company acknowledged the vulnerability.

 

[Chuckanut]

Steve Gibson has a good explanation of the LastPass phishing attack and what LastPass had done about it and what we should be watching. Find the LostPass episode and the explanation is in the last 35 minutes.

https://www.grc.com/securitynow.htm

Basically, there is no perfect defense against a phishing attack on any app not just LastPass and the user must be watchful. LastPass has shut some holes and beefed up some security that makes this attack much harder to accomplish. For example, LastPass will now warn people if they are entering their LP master password into something that isn't Last Pass.

 

[Lsbcal]

It would be cool if Lastpass presented a user with a user chosen image when asking for the password i.e. a customized popup.