ClockWatcher
Dryer sheet aficionado
- Joined
- Apr 15, 2013
- Messages
- 43
People using LastPass to manage their financial passwords now have a new concern: a devastating phishing attack. LastPass has not been "hacked," but because it displays messages within the browser, as a webpage, these messages can be faked with pixel to pixel exactness allowing even a normally cautious user's master password and even two-factor authentication to be compromised. These are possible due to the way in which the LastPass interface has been designed. At a conference yesterday, Sean Cassidy, CTO of Praesidio demonstrated such a phishing attack, and then posted instructions to replicate it in Github, under the name "LostPass":
https://github.com/cxxr/lostpass
You can read more about how it works at Mr. Cassidy's blog:
https://www.seancassidy.me/lostpass.html
For a less technical discussion, here are two news articles that have been published:
LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk
ShmooCon: LastPass design elements create perfect Phishing opportunity | CSO Online
Mr. Cassidy did contact LastPass, who subsequently issued an update, but he suggests that their patch has in some ways made things worse. The alert that was implemented now confirms to the attacker that the user ID and password are valid.
Here are the suggestions that Mr. Cassidy posted in his blog for users while they wait for LastPass can roll out better user protections:
• Ignore notifications in the browser window
• Enable IP restriction (only available to paid plans)
• Disable mobile login (although other attacks could use non-mobile API)
• Log all logins and failures
• Inform your employees of this potential attack
For those considering alternative password managers, he recommends:
• Browser extensions are riskier than native applications
• An API makes it easier to steal a lot of data
• Store only frequently used and low risk data in a password manager
https://github.com/cxxr/lostpass
You can read more about how it works at Mr. Cassidy's blog:
https://www.seancassidy.me/lostpass.html
For a less technical discussion, here are two news articles that have been published:
LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk
ShmooCon: LastPass design elements create perfect Phishing opportunity | CSO Online
Mr. Cassidy did contact LastPass, who subsequently issued an update, but he suggests that their patch has in some ways made things worse. The alert that was implemented now confirms to the attacker that the user ID and password are valid.
Here are the suggestions that Mr. Cassidy posted in his blog for users while they wait for LastPass can roll out better user protections:
• Ignore notifications in the browser window
• Enable IP restriction (only available to paid plans)
• Disable mobile login (although other attacks could use non-mobile API)
• Log all logins and failures
• Inform your employees of this potential attack
For those considering alternative password managers, he recommends:
• Browser extensions are riskier than native applications
• An API makes it easier to steal a lot of data
• Store only frequently used and low risk data in a password manager