Lastpass can be Compromised with Simple Phishing Assault

One special kind of phishing assault targets LastPass that can lead to evasion of dual-factor validation mechanisms and exposure of end-user credentials.

According to CTO and security researcher Sean Cassidy of Praesidio the security company, during every expiration of LastPass session when a Web-surfer is performing his activity, LastPass displays the surfer's browsing notifications inserted into certain Web-page's matter. Similarly, the follow-up page to log in as well as the dual-factor validation program, in case are enabled, too get exhibited. Security-wise, this is not desirable, as it may mean Web-insertion assaults for the end-user, like within phishing assaults on Internet banking portals that users maybe accessing.

The working of LastPass is as follows: the victim must foremost go to a malicious website following which the hacker plays his role as thus- he must hunt out LastPass as also display to the end-user a notification of expired session; take him onto the login web-page while entice him towards clicking one rogue banner which takes him onto certain page under the hacker's control (this page perfectly mimics the LastPass web-page); lure the compromised end-user towards typing in his credentials such as username and password that get dispatched onto the hacker's remote server; as well as finally take down the victim's currency chamber.

Security expert Cassidy states that LastPass assault works best with Google's browser Chrome since LastPass utilizes certain login page that's HTML-based for it.

In November last year (2015), Cassidy drew LastPass' notice towards the particular security problem while acknowledgement followed in December. For mitigating this assault, the company recently released one solution in the form of a warning to end-users as they enter the password of their main chamber inside certain other websites. Nevertheless, Cassidy doesn't think the solution is perfect. Cassidy suggests end-users to never enter the credentials of LastPass a second time inside the Web-browser, while utilize the key app for re-authentication. Softpedia posted this, January 17, 2016. Moreover, Cassidy further states that enabling Internet Protocol limitations for the paid edition of LastPass is preferable to utilizing 2FA defense. Besides, end-users must turn off their mobile logins too.

» SPAMfighter News - 1/25/2016