Skip to main content

LastPass Password Manager Details Vulnerable to Hack


LastPass is one of the popular password managers, which stores user’s passwords in the cloud in an encrypted vault. This user’s database is protected by a single username/password pare and various forms of two-factor authentication. However, some security researcher has recently issued a tool able to steal the login details and two-factor authentication key for the manager, thus leaving users potentially exposed. The instrument in question enables hackers to mimic the look and feel of the LastPass browser plugin and website, imitating the way the password manager requests a user’s password and two-factor authentication key.


The security researcher presented the attack at the hacker convention ShmooCon in Washington, calling it LostPass. The attack works because ordinary users can’t tell the difference between a fake and a real message. The fake message shows up if a user visits a malicious website. Once the malware detects that the browser is using LastPass, it mimics a LastPass notification, remotely logs-out the user and requests their password and two-factor authentication key. As a result, the hacker would be able to gain access to every password stored in the system, change settings, block a user’s access or hide it leaving the user none-the-wiser.

LastPass was notified about the vulnerability back in November and responded by implementing a system to alert users when they type their master password on a fake site. The problem is that hackers can easily block that notification as well.

While the attack is not a flaw within LastPass itself, it still highlights a major problem that even the most careful users can encounter. As for the service, it said that the email verification process significantly reduces the threat of such phishing attack because in this case the hackers would need to gain access to the user’s email account as well. In this case, if a user sees a verification request they never initiated, they can safely ignore it.

LastPass also added that it has implemented a fix preventing the malware from logging a user out of their account. Although none of these changes can prevent the hackers from stealing login details, they could still prevent from using those details to access the user’s password manager.

Comments

Popular posts from this blog

Here Are 7 Brilliant Cheat Sheets For Linux/Unix

There's nothing better than a cheatsheet when you are stuck and need a reference. So here bringing to you 7 brilliant free cheat sheets. 




1. Unix Tool Box: An incredibly exhaustive reference for all things Linux. This document is a collection of Unix/Linux/BSD commands and tasks which are useful for IT work or for advanced users.

2. One page Linux Manual: Great one page reference to the most popular Linux commands, it is a summary of useful Linux commands.

3. Linux Reference Card: One great reference published by FOSSwire.

4. Linux Command Line Cheat Sheet: This is an interestingly sorted and helpful cheat sheet by cheatography.

5. Linux Command Line Tips: This is a linux command line reference for common operations. Cleanly sorted and well described.

6. Treebeard’s Unix Cheat Sheet: A great reference that shows command comparisons with that of DOS. So if you are someone who was a DOS user and has switched to Linux, this is the best one too have!

7. Linux Shortcuts and Commands:…

WhatsApp is illegal, will soon banned in India : Government

WhatsApp could have accidentally entered into troubled waters here in India by enabling its end-to-end encryption for all. The new security feature by WhatsApp is not what is required by the Indian telecom rules and WhatsApp could face a ban, if the rules are not adhered to. But not yet.
In India, companies need to follow the country’s rules and adhere to specific types of encryption, which WhatsApp does not currently use. WhatsApp’s end-to-end encryption on its chat service means that WhatsApp or anyone else won’t be able to crack open its contents.  Only the sender and the recipient are able to read the encrypted data. WhatsApp uses a 256-bit key for encryption of all chat messages, which is only known to the sender and the recipient.
Why is it not possible for WhatsApp to help decrypt users’ messages? "No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us," WhatsApp founders Jan Koum and Brian Acton wrote on their blog. How…

3 Mega Acquisitions in last week affects the Internet Space of India

Qihoo 360 buys Opera in $1.2 Billion Opera Software intends to accept a $1.2 billion acquisition offer from a group of Chinese companies. The Chinese consortium includes Internet security company Qihoo 360, Internet firm Beijing Kunlun (which invested roughly$93 millioninto Grindr earlier in the year) and investment group Golden Brick and Yonglian. According to Opera, the $1.2 billion is a 56 percent premium over Opera's share price during the last 30 trading days. Despiteclaiming350 million users, the company's browser has struggled in the oversaturated Western market. China could be a profitable arena for Opera, in part because Google's Chrome browserdoes not come preinstalled on Android phones in China like it does elsewhere. In addition, doing business in China without local partners is nigh impossible, but Opera could leverage the networks of Kunlun and Qihoo 360 if the deal goes through.


Snapdeal Buys Freecharge in $400Million e-commerce marketplace Snapdeal has acquired …