LastPass is one of the popular password managers, which stores user’s passwords in the cloud in an encrypted vault. This user’s database is protected by a single username/password pare and various forms of two-factor authentication. However, some security researcher has recently issued a tool able to steal the login details and two-factor authentication key for the manager, thus leaving users potentially exposed. The instrument in question enables hackers to mimic the look and feel of the LastPass browser plugin and website, imitating the way the password manager requests a user’s password and two-factor authentication key.
LastPass was notified about the vulnerability back in November and responded by implementing a system to alert users when they type their master password on a fake site. The problem is that hackers can easily block that notification as well.
While the attack is not a flaw within LastPass itself, it still highlights a major problem that even the most careful users can encounter. As for the service, it said that the email verification process significantly reduces the threat of such phishing attack because in this case the hackers would need to gain access to the user’s email account as well. In this case, if a user sees a verification request they never initiated, they can safely ignore it.
LastPass also added that it has implemented a fix preventing the malware from logging a user out of their account. Although none of these changes can prevent the hackers from stealing login details, they could still prevent from using those details to access the user’s password manager.