There seems to be an alarming trend happening recently. Namely, that the very programs we’re using to keep our information safe are actually giving hackers easy access to our private data in bulk. The latest in the string of hacked security programs is LastPass.
That’s right, the company that has been keeping your passwords safely secured for years, has only been doing half of that, of late. It turns out that the most basic of phishing attempts is able to get passwords (and access to all of your private data stored behind those passwords). All an attacker needs to do is spoof an alert from LastPass, and the user will provide everything they need. This was discovered and outlined by Sean Cassidy, on his blog.
The issue comes from the fact that when LastPass sends you notifications that require you to login, it does so in a new browser window. That same window can be spoofed easily, if someone visits a malicious page. And those same pages can log you out of LastPass, so you will see that you do in fact, need to login. Thankfully, it does require you to visit a malicious page, in order to work, so as long as you’re not visiting any shady sites, you should be okay.
The other bit of good news is that LastPass has now responded to the issue, and implemented new security features to prevent this attack from working. Namely, they require email authentication when you login from an unrecognized IP address. Sites also can no longer automatically log you out of LastPass.