Jan 20 2016
Popular credentials manager LastPass has taken steps to counter a "very simple" phishing attack that could see users' passwords, email addresses and two-factor authentication tokens stolen.
Researcher Sean Cassidy posted
proof of a successful phishing attack using a faked LastPass notification in a web browser earlier this month, following a presentation at hacker conference Schmoocon.
By setting up a malicious website that displays notifications telling users their LastPass sessions have expired, Cassidy was able to create a page that lured people into entering their credentials for the password manager.
The researcher called the attack LostPass. A successful capture of user LastPass credentials would allow attackers full access to all login details stored in the password manager.
According to Cassidy, the attack works best on the popular Google Chrome web browser.
LastPass has since made changes
to its browser notification and alerts systems, and now requires email confirmation for all logins from new IP addresses, which Cassidy says substantially mitigates against his attack.
The company is also looking into using a different method for notifications than the web browser viewport below the tab and link address bar, where Cassidy created the fake warnings about session expiry.
LastPass has also asked Google to help make the viewport area more secure for to use, or to provide an alternative for notifications.
Cassidy noted that in general terms, web browser extensions are riskier than native applications that run on the operating system.
Also, having an publicly accessible application programming interface makes it easier to steal a great deal of data, he said.
Cassidy cautioned that users should only store frequently used and low-risk data in LastPass and other password managers.