LastPass security warning - January 18, 2016

Started by Jason, January 18, 2016, 10:17:59 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

If you are a user of LastPass for password storage/automation, please be aware of a recently announced vulnerability:

Please visit the following link for the full article:

http://news.softpedia.com/news/lastpass-vulnerable-to-extremely-simple-phishing-attack-499023.shtml

Quote
Security researcher Sean Cassidy has developed a fairly trivial attack on the LastPass password management service that allows attackers an easy method for collecting the victim's master password.

Mr. Cassidy discovered that whenever LastPass sessions expire while the user is browsing the Web, LastPass shows this using notifications injected in a page's content. The subsequent login page and the two-factor authentication code, if enabled, are also displayed in the same way.

In terms of security, this is a big no-no, since it exposes users to Web injection attacks, commonly found in phishing attacks against users of Web-based banking portals.

Following an initial hunch, Mr. Cassidy explored this apparent weakness and discovered that attackers can exploit LastPass' tendency to show notifications and login popups inside a live Web page.

Quote
Some mitigation techniques
To mitigate against his own attack, Mr. Cassidy recommends that users never re-enter LastPass credentials inside the browser, and use the main application to authenticate again.

Additionally, he also says that turning on IP restrictions for the LastPass paid version is better than using 2FA protection. Furthermore, users should also disable mobile logins, and log all logins and login failures.