LastPass users are vulnerable to the simplest phishing attack in Chrome

One of the most popular password managers, LastPass, has experienced security issues several times. For example, the service was hacked in the summer of 2015, after which users had to change their data to access LastPass. In November last year, information security specialists discovered a number of bugs in the service that allowed attackers to gain access to user credentials.

Now it was found that the two-factor protection of the service does not save if the attacker uses the simplest phishing attack. Information Security Specialist Sean Kessidy, who discovered the vulnerability, came up with a name for it - “LostPass”. In order to demonstrate the vulnerability, the specialist has created a special tool.

The thing is that LastPass, under certain conditions, shows the user a notification that the session has expired and it is necessary to login again. If an attacker uses fake notifications on a certain kind of resources, two-factor authentication will not help the user - his account will be compromised. A fake form that looks the same as a regular LastPass credential input form can deceive many, especially since its address will be similar to the technical url of the service.
')


As a result, an attacker will be able to verify the received data without any problems, and in some cases, request a two-factor authentication code using the LastPass API. Interestingly, all this works only in the Chrome browser. Other browsers use a slightly different way to display service notifications.

According to Cassidy, he has already addressed the developers of the service, and received from them a response that it is not a vulnerability, but phishing. According to the expert, if representatives of the company do not change the principle of displaying notifications in Chrome, users of LastPass will be in danger. In order not to lose his data, Cassidy advises to use data entry on the service page. In addition, authentication through the application is a good way out.