LastPass Users Vulnerable to Devastating Phishing Attack

I had the most difficult time loging in today. Entered password about a dozen times and it wouldn't log me in. First time that has happened. After reading these replies, I promptly changed my password. I've always used the extention button in chrome. I hope nothing has been compromised because I am totally dependent on this pw manager.
 
Lsbcal said:
It would be cool if Lastpass presented a user with a user chosen image when asking for the password i.e. a customized popup.
Click to expand...
That seems like something that would be effective, but indeed does not address the vulnerability.

You identify yourself to the fake LastPass, then, quickly in the background, the bad guy, acting like you against real LastPass API, grabs your custom image, then presents it back to you. It's no more than an annoyance to the bad guy.

These custom images are good for simple instances where it's a redirection attack as opposed to a man in the middle attack.
 
sengsational said:
That seems like something that would be effective, but indeed does not address the vulnerability.

You identify yourself to the fake LastPass, then, quickly in the background, the bad guy, acting like you against real LastPass API, grabs your custom image, then presents it back to you. It's no more than an annoyance to the bad guy.

These custom images are good for simple instances where it's a redirection attack as opposed to a man in the middle attack.
Click to expand...
Probably I don't understand this situation. Maybe you can tell me where I'm wrong?

Isn't the presentation a bogus web page with a generic Lastpass login? Firstly, the actual thing I see on my system is a Lastpass popup with my email in one of the top input boxes. Let's assume I have not trained myself to normally look for that (probably true). And also that I don't realize the browser page has a "frozen popup". Incidentally I bet the Lastpass login could be redesigned to pull the users eye to his email fill in. Like coloring it in with magenta or something. Here is what we are talking about:

ru9qno.jpg


Also I have mine setup so that the email is filled in. How would the man in the middle fill that one in? Or is he relying on people normally filling this in manually plus the password?

Didn't my Lastpass popup come from a browser extension on my machine? If so then it could possibly be customized by me and reside on my machine. The guy in Eastern Europe wouldn't know about this and is just mimicking a generic.

On my phone this behaves differently so I guess I'm just talking about one desktop machine and not trying to propagate the customization to more machines.
 
Last edited:
Security images are being phased out. If you search that topic, there lots of interesting discussion.

The option of customizing your login page locally is intriguing.
 
target2019 said:
Security images are being phased out. If you search that topic, there lots of interesting discussion.

The option of customizing your login page locally is intriguing.
Click to expand...
I don't know about that. Vanguard phased it out. My local Fed Credit Union phased it in.

Score 1 to 1. :)

But maybe in the case of Lastpass it is not needed for the issue we are discussing. Just select the remember Email option and then train yourself to look for it on each login. Plus, of course, make sure you asked for Lastpass to popup i.e. it wasn't presented out of the blue by a window you just opened.
 
Last edited:
Lsbcal said:
Probably I don't understand this situation. Maybe you can tell me where I'm wrong?
Click to expand...

It sounds like you understand how it all works, except maybe how the man in the middle attack works in a security image situation*. Actually, I think you get that too, since you had the idea of pulling the image from the browser plug-in.

I don't have a pat answer on the ability of the LostPass hack to populate the email address if that option is checked. Off the top of my head, I'm not sure how they'd know the email address, so yet another head scratcher beyond seeing a login box that you didn't ask for. I didn't see that written-up as a weakness in the LostPass attack, but sounds like it is.

target2019 said:
The option of customizing your login page locally is intriguing.
Click to expand...
+1 I wonder why they haven't done this. If the image is local, I can't see how it could be presented from javascript on a page, which is the way this phishing attack works.

* The typical man-in-the middle attack with a security image goes like this: The user thinks they're talking to the real web site, but are talking to the bad-guy and goes to the login page (fake login page), where the user enters the userid (not password, yet) (or some javascript on the page sends a cookie). The bad guy reads and immediately sends the same request to the real server. The real server sees exactly what it would have seen in a legit logon, dutifully presents the security image to bad guy, who then presents it to the user, who thinks everything is legit, and then supplies the bad-guy with the password.
 
Last edited:
sengsational said:
* The typical man-in-the middle attack with a security image goes like this: The user thinks they're talking to the real web site, but are talking to the bad-guy and goes to the login page (fake login page), where the user enters the userid (not password, yet) (or some javascript on the page sends a cookie). The bad guy reads and immediately sends the same request to the real server. The real server sees exactly what it would have seen in a legit logon, dutifully presents the security image to bad guy, who then presents it to the user, who thinks everything is legit, and then supplies the bad-guy with the password.
Click to expand...

Great explanation, thanks.
 
Lsbcal said:
I don't know about that. Vanguard phased it out. My local Fed Credit Union phased it in.

Score 1 to 1. :)

But maybe in the case of Lastpass it is not needed for the issue we are discussing. Just select the remember Email option and then train yourself to look for it on each login. Plus, of course, make sure you asked for Lastpass to popup i.e. it wasn't presented out of the blue by a window you just opened.
Click to expand...


If you search, you will find that security images are no longer considered a great idea. Most companies have more secure options like tokens or MFA. If a company us just now phasing in security images, they are behind the curve.

Have no comments on lastpass use.
 
sengsational said:
It sounds like you understand how it all works, except maybe how the man in the middle attack works in a security image situation*. Actually, I think you get that too, since you had the idea of pulling the image from the browser plug-in.

I don't have a pat answer on the ability of the LostPass hack to populate the email address if that option is checked. Off the top of my head, I'm not sure how they'd know the email address, so yet another head scratcher beyond seeing a login box that you didn't ask for. I didn't see that written-up as a weakness in the LostPass attack, but sounds like it is.


+1 I wonder why they haven't done this. If the image is local, I can't see how it could be presented from javascript on a page, which is the way this phishing attack works.

* The typical man-in-the middle attack with a security image goes like this: The user thinks they're talking to the real web site, but are talking to the bad-guy and goes to the login page (fake login page), where the user enters the userid (not password, yet) (or some javascript on the page sends a cookie). The bad guy reads and immediately sends the same request to the real server. The real server sees exactly what it would have seen in a legit logon, dutifully presents the security image to bad guy, who then presents it to the user, who thinks everything is legit, and then supplies the bad-guy with the password.
Click to expand...


From a few articles, I understand that in tests, too many users ignored the absence of the security image, and will just keep going, deeper and deeper into the abyss of theft.
 
target2019 said:
If you search, you will find that security images are no longer considered a great idea. Most companies have more secure options like tokens or MFA. If a company us just now phasing in security images, they are behind the curve.

Have no comments on lastpass use.
Click to expand...
The Fed Credit Union that introduced this is highly security concious. At least they are really up front with a lot of it including 2FA. It depends a lot on how the image is presented i.e. design elements. If you log in multiple times a month your expectation gets set. In my humble opinion, I'd rather have the security image then not. At worst I'd think it was just redundant.

But then we don't really get to vote on the institutional security setup, except maybe with our feet.
 
At worst it creates a sense of false security. A significant number of users accepted alternate messages which are placed in that area. That is why the method is waning in popularity.
 
You must log in or register to reply here.

Similar threads

Janet H
Forum Downtime - software update scheduled April 23/24
2
Replies
36
Views
1K
Out of Steam
Out of Steam
S
Google Password Manager Failed
Replies
10
Views
982
rk911
rk911
38Chevy454
Use a Password Mgr? Which One? Like It?
5 6 7
Replies
155
Views
11K
Kwirk
Kwirk
Beststash
Penfed Login
Replies
4
Views
949
GrayHare
G
RonBoyd
FBI and NIST Password Best Practice Article
Replies
3
Views
789
njhowie
njhowie

Latest posts

Back
Top Bottom