Jump to content

Phishing Attack Targets LastPass


Recommended Posts

Security researcher Sean Cassidy of Praesidio has revealed a phishing attack targeting the LastPass password manager at ShmooCon 2016 in Washington D.C. He calls it LostPass and describes it as "sophisticated enough to fool users into handing over their passwords, email, and all the passwords and documents stored in their LastPass vault." The LostPass exploit seeks to deceive users by creating a pixel-for-pixel replication of legitimate LastPass messages. In order to be exposed to LostPass, "the intended victim must visit a malicious website or a real website vulnerable to XSS. Once laden with malicious code, the website can then prompt the user with a notification which shows login expiry and an appeal to log in again -- made worse by the CSRF flaw as the website can log the user out of LastPass to make the request appear legitimate." At this point the attacker can gain access to the users account, even if two-factor authentication has been enabled, and can "install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a trusted device."

Cassidy informed LastPass of his phishing attack in November and the company has responded. A company spokeswoman stated, "We did work directly with Sean Cassidy, and can confirm this is a phishing attack, not a vulnerability in LastPass. However, we've released an update that will prevent a user from being logged out by the phishing tool, thereby mitigating the risk of the phishing attack. In addition, LastPass has a built-in security alert to let you know when you've entered your master password into a non-LastPass web form."

Source: ZDNet and Fast Company

Back to original news post

Share this post

Link to post
Share on other sites


  • Create New...