LastPass Password Manager a 'Phishing Risk'

John Lister's picture

A security researcher says he's published proof that users of password manager tool LastPass could easily be tricked into handing over login details. LastPass insists there is no bug with the service itself, but has made some changes to mitigate the issue.

Sean Cassidy published details of the potential attack at a security conference. He says the way LastPass operates makes it too easy to create bogus looking login pages that could fool users into handing over their login credentials.

According to Cassidy, two main problems combine to create the phishing risk. One is that LastPass displays messages to the user in the browser viewport - that's the main part of the browser which effectively displays a website page (not including the site URL). The second problem was that LastPass was set up to allow remote logouts from the service.

Bogus Login Screen An Identical Copy

In his demonstration, Cassidy showed that as long as users were on a malicious website, or one with a security flaw, it was possible to not only log out of LastPass, but to then show a bogus message in the viewport asking users to log back in. That could then trick users into handing over their master LastPass login, and thus expose all their stored passwords.

Cassidy says the bogus message looks convincing because there's no difference between it and the real thing: "It's pixel-for-pixel the same notification and login screen." (Source: seancassidy.me)

LastPass has addressed the claims on its support site. It insists there's no security vulnerability with the service, but has added several steps to make it less likely a user will fall for a phishing attack.

Remote Logouts Now Blocked

One such defense is to completely block remote logouts. Even if the attacker was able to create the bogus login request, the browser extension for LastPass will still show the user is logged in. LastPass has also tweaked its setting so that users can't simply login from any machine. If somebody tries logging into an account from a previously unused location or device, LastPass will now send an email with a verification link.

Another change is to more strongly warn the user if they are typing their LastPass master password into any other site or service, including the bogus login form from the attack Cassidy describes. Finally, LastPass is working on alternative ways to display notifications other than the viewport, which could make it harder to create convincing bogus messages. (Source: lastpass.com)

What's Your Opinion?

Do you use LastPass and do you think LastPass has done enough to address this security issue? Is it worth putting up with an extra bit of inconvenience, such as email verification when using a new machine, for added security? Do you trust password manager tools or is it too much risk putting all your passwords in one (virtual) place?

Rate this article: 
Average: 5 (7 votes)

Comments

normrubin's picture

I'm semi-happy with LastPass. I was totally happy with the free version on multiple laptops. Then I paid $12 (/yr) so I could use it on my Android phone, and I'm less happy. Waiting for a newer phone in the mail. But with this one, neither the LP app nor the LP browser fills in my logins seamlessly. Best I can do is switching apps and cutting and pasting. So I'm still using a few crummy passwords for low risk sites - like InfoPackets!
If somebody wants to impersonate me HERE, I think they'll find it's a slow way to make a buck.
I think the new changes are sensible.
More serious:
1) On one laptop, my setting "Sign out after 30 minutes" somehow got deactivated! So if I'd lost that laptop, ALL my Signins would have been on it forever!
2) I'm still a happy Eudora user for email, and Eudora auto-logins to pick up my emails on all my laptops. K-9 Mail does the same on my phone. (Who manually logs in to pick up email??) So LP's willingness to replace my master password on request - by email - is still a big vulnerability, if somebody gets their hands on one of my devices. Personally, I think when I can't remember my LP Master Password any more, I should probably let my Caregiver sign me in!
3) No doubt User Error, but LP has learned a few wrong signins to a few sites, which is a nuisance when it DOES otherwise work smoothly.
Otherwise, it's a great idea, and a bargain at $12/yr. When the new phone arrives with Android 5.1, I may be pretty happy.

stooobeee's picture

I use this app. I do not ever give my password for financial sites or other important ones, either to be logged on automatically from the browser, or from LastPass---and just exactly for those reasons described.