LastPass is one of the popular password managers, which stores user’s passwords in the cloud in an encrypted vault. This user’s database is protected by a single username/password pare and various forms of two-factor authentication. However, some security researcher has recently issued a tool able to steal the login details and two-factor authentication key for the manager, thus leaving users potentially exposed. The instrument in question enables hackers to mimic the look and feel of the LastPass browser plugin and website, imitating the way the password manager requests a user’s password and two-factor authentication key.
The security
researcher presented the attack at the hacker convention ShmooCon in
Washington, calling it LostPass. The attack works because ordinary users can’t
tell the difference between a fake and a real message. The fake message shows
up if a user visits a malicious website. Once the malware detects that the
browser is using LastPass, it mimics a LastPass notification, remotely logs-out
the user and requests their password and two-factor authentication key. As a
result, the hacker would be able to gain access to every password stored in the
system, change settings, block a user’s access or hide it leaving the user
none-the-wiser.
LastPass was notified about the vulnerability back in November and responded by implementing a system to alert users when they type their master password on a fake site. The problem is that hackers can easily block that notification as well.
While the attack is not a flaw within LastPass itself, it still highlights a major problem that even the most careful users can encounter. As for the service, it said that the email verification process significantly reduces the threat of such phishing attack because in this case the hackers would need to gain access to the user’s email account as well. In this case, if a user sees a verification request they never initiated, they can safely ignore it.
LastPass also added that it has implemented a fix preventing the malware from logging a user out of their account. Although none of these changes can prevent the hackers from stealing login details, they could still prevent from using those details to access the user’s password manager.
LastPass was notified about the vulnerability back in November and responded by implementing a system to alert users when they type their master password on a fake site. The problem is that hackers can easily block that notification as well.
While the attack is not a flaw within LastPass itself, it still highlights a major problem that even the most careful users can encounter. As for the service, it said that the email verification process significantly reduces the threat of such phishing attack because in this case the hackers would need to gain access to the user’s email account as well. In this case, if a user sees a verification request they never initiated, they can safely ignore it.
LastPass also added that it has implemented a fix preventing the malware from logging a user out of their account. Although none of these changes can prevent the hackers from stealing login details, they could still prevent from using those details to access the user’s password manager.
Comments
Post a Comment