LastPass Vulnerable To Extremely Simple Phishing Attack

An anonymous reader writes: Security researcher Sean Cassidy has developed a fairly trivial attack on the LastPass password management service that allows attackers an easy method for collecting the victim's master password. He developed a tool called LostPass that automates phishing attacks against LastPass, and even allows attackers to collect password vaults from the LastPass API.

after reading the details, this is significant

[raymorris]

I read through the details and this is pretty significant. It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser, but it was demonstrated that even that isn't sufficient. This looks like a significant problem for Lastpass and any others with a similar UI.

For anyone who doesn't care to read the details, here's the crux of the problem:

Lastpass prompts for the master password -within- the browser window. Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog, so users can't tell the difference. Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.

Re:after reading the details, this is significant

[ArmoredDragon]

Lastpass is an addon/extension overlay, meaning there is no URL.

Re:

[Frosty Piss]

Isn't this a pretty standard "hack"? If LastPass missed this issue, what else is sketchy?

Re:after reading the details, this is significant

[reve_etrange]

It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).

Re:

[Frosty Piss]

It's really a Chrome issue, on Firefox LasPass uses an OS dialog...

Sure, understood, but that makes is a design issue with LastPass, especially seeing as how Chrome has by far more users than Firefox.

Chrome

[p51d007]

I switched back to FF about 6 months ago. Chrome for me, started slowing down.

Re:

[Frosty Piss]

Disagree and this comment makes me sad. What you're arguing is because of Chrome's (large) user base, it's not liable to be a good citizen and follow standards/procedures...

NOT AT ALL!

I'm saying that if you put a SECURITY product out and don't test it on all the available browsers, your product is crap. It's not secure on one of the most popular browsers, why would they design it that way?

I wish. See the Firefox screenshot

[raymorris]

Check out the Firefox screenshot that the researcher included. On Firefox the fake dialog still looks exactly like the legitimate dialog. It looks just like an OS window that has popped up in front of the browser window. You'd only know something was amiss if you tried to drag out to a different part of the desktop so it was no longer "in front of" (actualy within) the browser.

Simple fix.

[Tehrasha]

FTA "It is harder to spoof in Firefox, where I had to draw each OS's native widget manually"

If the user uses ANY customized desktop theme on Windows, these pop-ups are going to look totally alien to the user.

Finally, a valid use for the Windows Classic theme.

Re:

[godel_56]

It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).

Also in TFA, he was able to pretty effectively fake the OS dialog. Most people would be fooled.

Re:

[Shawn Willden]

along with blocking duckduckgo.com from being a search engine

What are you talking about? Chrome doesn't "block" duckduckgo.com from being a search engine. In fact, it's even in the pre-configured list of search engines in the Chrome settings, and you can make it your default search engine with a grand total of four mouse clicks: click on the hamburger menu, then Settings, then "Manage search engines", then mouse over duckduckgo in the "Other search engines" list and click the "default" button that appears.

Re:

[drolli]

Generation iphone: first complain, then right-click. Then complain that the option was intentionally hidden.

Re:

[meadow]

In the mobile browser it is impossible to set ddg as default search.

Re:

[The-Ixian]

Google apparently hates making Chrome extensible. Every Chrome add-on seems crippled compared to its FF "equivalent". Maybe this is due to security... but I highly doubt it. I think that Google are just control freaks about their browser.

Re:

[reve_etrange]

It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser

That's already the case in Firefox. The exploit only effects chrome, and even then you can always check to make sure the URL says "chrome-extension" and not something similar.

not exactly, see Firefox screenshot

[raymorris]

The blog entry in which the guy describes the attack has a screenshot of the attack in Firefox. The screenshot also includes a legitimate Lastpass dialog, showing that the fake looks -exactly- like the real Lastpass dialog.

The thing is, the browser can draw something that looks exactly the same as an OS dialog, and it can be dragged around just like the OS dialog. The difference shows up only if you minimize the browser, or already have the browser window small and you then try to drag "the Lastpass" dialog far enough that it's no longer "in front of" the browser window.

Re:

[ZeRu]

You could have LastPass remember your e-mail and autofill it for you when it prompts you for the master password. A phishing site typically won't know your e-mail, unless they asked you for it (as a part of registration process, for example). I suggest using different e-mail than the one you use for your LastPass Account for every site that requires a password. If you're on Gmail adding "+[domainname]" to your Gmail username is enough, since Gmail ignores everything after a plus sign.

Re:

[TheRaven64]

There is a well-known defence against this kind of attack. You don't put up generic dialog boxes like this. When the user configures the app, they should provide a picture or a pass phrase, which is displayed in the dialog box whenever it appears. If the dialog does not contain that picture / phrase, then the user knows that it's not the one for their system.

Re:

[Aighearach]

Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog

If popups are still a thing, that is much more shocking than the supposed "vulnerability."

I know there are serious professionals actually claiming that password managers make you more secure, but it seems obvious that having a single point of failure based on trust introduces a major vulnerability.

IMO the vulnerabilities involved are:

1. Running browsers that allow pop-ups.
2. Creating a single point of failure based on un-audited trust.
3. Using a networked password manager that not only can communicate over the netw

Re:

[Ragnarok89]

It is significant, but I think I have to point out the context here. This is not a Lastpass specific issue. ANY service that prompts for a password within the browser is subject to this attack. It just so happens that the Lastpass service is pretty damn important.

on random sites, and reveals other passwords

[raymorris]

Slashdot requests a password in the browser, but it's not affected the same way. First, Lastpass throws up a password prompt ON OTHER WEB SITES. You wouldn't enter your banking password on Slashdot.org. However, if Lastpass stores your bank Slashdot password, Lastpass will pop a dialog on Slashdot. You'll then enter your master password into "Lastpass" while you're on Slashdot. With any web-based service, you'd enter your password only on the legitimate site. Lastpass users enter their master password

Re:

[Barlo_Mung_42]

Would setting up two factor authentication thwart that?

Lastpass TFA actually makes the hack easier

[raymorris]

The way Lastpass implements 2-factor, it actually makes the hack EASIER.

Re:

[jpkunst]

Care to explain?

Re:

[randm.ca]

With 2FA disabled, a "you signed in from a new IP" verification email gets sent, and you go WTF no I didn't and get suspicious (hopefully you do anyway). With 2FA enabled, that email gets disabled, so the user is none the wiser that something funny is going on.

Re:

[jpkunst]

Lastpass has now enabled the verification email for users with 2FA enabled. See https://lastpass.com/support.p... [lastpass.com]

Re:

[mysidia]

Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.

Unless the user has 2FA enabled.....

Re:

[Fnord666]

Unless the user has 2FA enabled.....

From TFA:

Attacker can intercept 2FA codes

Additionally, the attacker can even check these credentials against the LastPass API, verify their accuracy, and even ask the user for the two-factor authentication code if this feature is turned on.

If everything is correct, and all the codes verify through, using the same LastPass API, an attacker can collect any data from the user's account he wants, including the password vault.

Re:

[Zero__Kelvin]

"Even if the user has 2FA enabled.....

FTFY

Re:

[invictusvoyd]

Well , we all know that too much management is generally counterproductive.

Re: after reading the details, this is significant

[johnsnails]

Similar issue exists somewhat with any app, how do I know an app used HTTPS to send username/passwords etc? I realise I could know using fidler or similar, but I mean how do you do those basic checks in an app?

Re:

[AmiMoJo]

Why would you use LastPass anyway? It seems like a really dumb idea to rely on a cloud service for passwords.

I use KeePass. It can optionally sync its database with a file on Google Drive, which I suppose is the cloud, but crucially it runs everything locally and outside the browser process. Much less vulnerable to this kind of attack.

I never understood the attraction of LastPass. It just seems to charge you money to create a bigger attack surface, and put your credentials at risk.

Strongly recommend review by an experienced expert

[raymorris]

As may know, most small security applications have not been reviewed by someone truly qualified. Issues like what we see here with Last Pass are commonplace. It is very likely, almost certain, that you missed -something- when you developed your software.

If you haven't already, or maybe even if you have, I strongly suggest spending a couple hundred dollars to have another set of experienced eyes review your code. If your application is relatively simple, it probably wouldn't take more than a couple of hours

Re:

[mlts]

The sad thing is that a password manager isn't a tough thing. However, it requires some thought to do it right.

For example, stashing a syncable database on a cloud provider. Most PW managers either use the same password one uses for the local storage.

However, the database on the cloud provider is where security needs to be tight, and, if possible, not brute-forcable. Ideally, the database would be protected by a randomly generated key, which is then encrypted by each device's private key. If the user wa

Re:

[N1AK]

Thanks for the summary. Though I'm not sure why it's seen to be such a big issue. Firstly LastPass supports multiple two-factor authentication methods, so even if someone using this fell for it you still couldn't access their vault. Secondly, there's a LastPass icon on the topbar of the browser. It is red if you are logged in, and greyed out if you are not, and you have to click it to bring up the password prompt. If I saw the login prompt with a red icon I know something is wrong, if I see the prompt witho

Re:

[N1AK]

To respond to myself, reading a bit more into this the problem is bigger than the previous summary says. The exploit is able to make LastPass logout, making the prompt and even request for the 2nd factor code less suspicious. In short, although it requires users to miss a couple of reasonably subtle signs this is a real security shortcoming that they need to address.

Re:

[Anonymous Cow Ward]

So, theoretically, all you'd have to do is sign in with a blank tab in focus? Those shouldn't have any sort of copy of the login dialog.

According to your site, it is weak

[raymorris]

As may know, most small security applications have not been reviewed by someone truly qualified. Issues like what we see here with Last Pass are commonplace. It is very likely, almost certain, that you missed -something- when you developed your software. In fact, according to the little bit of text on your web site, you've made a grave mistake. Whoever wrote the text on the web site doesn't understand some basics of security, so if the same person who wrote the web site copy also designed the code, you hav

Reusing the same password is actually better

[Anonymous Coward]

Systems like Lastpass are designed to keep passwords in an online repository and allow users to have different passwords for each service. In principle, this might actually be a better security model. However, it really isn't because it creates a single point of failure and provides a false sense of security. Keyloggers make it pretty easy to collect passwords from unsuspecting users who might not take security as seriously when Lastpass makes them feel secure. You're also placing your trust in the security

Re:

[grim-one]

Relying on a single re-used password is worse than relying on a single password service. If a re-used password is compromised, all of your services are compromised - the same result as if your password service is compromised. However, the "surface area" for attacking the re-used password is much larger. To compromise the re-used password, you only need to compromise one of the sites on which it is used, so the attacker has more sites to pick and choose from and more potential vulnerabilities.

Re:

[Aighearach]

Whereas if they reuse 2 passwords instead of just one, they've already defeated your analysis. ;)

More seriously, the surface area isn't as large as you think, because getting a web password doesn't tell you what other services they use. Getting their password manager password does tell you that. It lets them access sites that the user didn't even use while they were under attack. The surface area of the password manager being exploited is therefore much, much larger, even if the attack surface is smaller fr

Re:

[grim-one]

Yes, re-using two different passwords it better. Three is better than that. You can continue that argument until you end up with a password for each site. Then you'll probably want a password management service, unless you have perfect recall.

You seem to be describing the "surface area" of the impact after an exploit has occurred. I was trying to describe the attack surface area the would allow an exploit in the first place. This is limited to a single site for the manager scenario - the main password si

Re:

[Zero__Kelvin]

" Then you'll probably want a password management service, unless you have perfect recall. "

... or some imagination and a little black book. ;-)

Re:

[Aighearach]

If you have reasonable physical security and are not a high profile target, this is ideal. I use this system.

People wave their hands and insist a service is somehow safe, but they do it using pure assertion with no actual security analysis showing it to have lower risk. And they'll freely give out the recommendation to the general public, when actually it depends on individual user context and for many (most!) users it will decrease their security. Security by colloquialism.

Re:

[Aighearach]

No, often you continue the process until you get to 5 or so and now the user is writing the passwords down. On a sticky note on the monitor is bad, but writing it in inside networked application software simply magnifies the idiocy and danger of writing it on a sticky note.

Re:

[SirSlud]

That is weapons grade dumb. The only thing this kind of attack can get is whatever passwords the duped user is entering. If they use only one, then as an attacker, all you need is that first one. Since auditing is so important to you, presumably you would also insist that you audit all the websites you're giving your password *to*. Think about it: "I don't trust the password manager, but I think it's a great idea to give the same password to a bunch of different websites who's handling of my password I *can

Re:

[Zero__Kelvin]

You should probably re-read his post, as you got his point bass-ackwards. He is talking about using multiple passwords, not a single Uber one.

Re:

[Zero__Kelvin]

Really. How, prey tell, does this apply? : " If they use only one, then as an attacker, all you need is ..." Just admit that you are an idiot who didn't understand that the GP was claiming the OP wrote something completely different than they actually wrote.

Seems like time to consider the alternatives

[Cloud K]

Suggestions for alternative password managers that work on all the same platforms? So Linux would need to be included (meaning 1password is out), and iOS and Android as well.

I know there's keepass for the desktop, though I seem to recall the Linux client being a choice of either using some old file format or the Windows version on WINE, and don't know how it'd conveniently sync with a mobile.

Re:Seems like time to consider the alternatives

[Duckman5]

keepass is cross platform, using the same file on Linux/Win/Android/MacOS. You can store the encrypted database in a cloud-based service like dropbox and have a highly portable system for password storage on-line & off-line.

That's what I do. For added security, I have a key file that I never put online and only stored locally on my laptop/phone. That way, even if someone gets my database AND somehow intercepts my password they're still out in the cold.

KeeCloud [keepass.info] is a good place to start. Then just pick a browser integration plugin and you're off. For android, Keepass2Android [google.com] is a good choice, too. It has an integrated keyboard that will directly type the username and password into the browser (or app) so you can avoid all those clipboard stealing exploits.

Re:

[Luthair]

No less secure than your PC.

Re:

[GuB-42]

Android is too insecure to store passwords on it. Point.

It depends on the implementation but it is probably more secure than the usual desktop OSes.
Android is based on linux, with SELinux enabled and apps run with different UIDs. The main weakness of Android comes from the delay between the time a vulnerability is fixed and the time you actually have it installed on your phone, but beside this, the stack is quite secure.
Correctly set up, the Keepass file is almost unbreakable. Effective attacks could be the keylogger or DLL injection type where you attempt to ca

Re:

[Anonymous Coward]

keepassx on linux.

Re:

[rspeed]

It's not optimal by any measure, but the Windows version of 1Password is very well-behaved via Wine.

Re:

[Anonymous Coward]

Keepass1 is rock solid and has native support on all platforms (but no cloud storage so you'll have to sync it yourself with dropbox or similar). The Keepass1 format is well documented enough that it is pretty much a de facto standard. Keypass2 is a .Net rewrite that doesn't work well on ANY platform, and it's new format is not widely supported.

The only decent feature that Keepass2 added was better multi-user support, which is pointless for most users anyway. Go with Keepass1.

Re:

[hankwang]

"Keypass2 is a .Net rewrite that doesn't work well on ANY platform, and it's new format is not widely supported. The only decent feature that Keepass2 added was better multi-user support, which is pointless for most users anyway. Go with Keepass1."

As for the leading Android implementations, keepass2android is definitely better than keepassDroid. They use the same database format (kdbx). However, KPD does not black out its thumbnail in the recent-apps list, does not have the same features for auto-locking th

Re:

[sexconker]

Retarded.
That requires hacking the host computer. A keylogger would be just as effective. KeePass does NOT protect you from a compromised host. NO password manager does.

Re:

[ve3oat]

How about PasswordSafe? I think it was originally designed by Bruce Schneier of Schneier on Security [schneier.com] fame. His credentials are excellent.

Re:

[meadow]

Better solution IMHO by far is to ditch Chrome. And, as someone above wrote, its not just Lastpass that can have this issue in it, but potentially any other app as well.

Re: Seems like time to consider the alternatives

[tometzky]

I use Firefox built-in password manager with master password. Works on Windows, Linux, Android. I haven't tested but should also work on IOS and OSX. It's opensource, does not store unencrypted passwords in the cloud, uses OS popup for master password prompt, and prompts only during browser startup, so it'd be very suspicious if opening a page would show the prompt. Also knowing master password is not enough to compromise it remotely - you'd also need Firefox account password which shoud be different and v

Re: Seems like time to consider the alternatives

[bill_mcgonigle]

Keep /home on luks, use a screen locker, and configure LastPass to remember the master password. It will tell you that's less secure. Yeah, for less likely attacks - spoofing predictable chrome has been around for more than a decade. x11 apps can already steal your passwords, so minimizing keyboard input of them is important until Wayland.

Re:

[The-Ixian]

I have used RoboForm for almost 10 years and I recommend it to everyone.

I think it is great. The iOS and Windows Phone OS clients are a little lacking but present, Windows, Mac, Linux and Android support are awesome.

Re:

[jopsen]

Either you can remember a lot of passwords or you can't. If you can't, just use the same password everywhere. It's as effective as using a "master" password.

Putting 2fa on the vault seems like a sane thing to do... Also it's fewer places that can leak your "master" password... Ie. only lastpass has your master password, so it's only if they get compromised that it is leaked.. .And they hopefully hash passwords properly... Can't say I believe every other random site hashes passwords correctly.

Also once the browser session is authenticated you shouldn't need to do lastpass again, right?... So you type your master password fewer times.
Honestly, I've been planni

Re:

[bhiestand]

Either you can remember a lot of passwords or you can't. If you can't, just use the same password everywhere. It's as effective as using a "master" password.

Putting 2fa on the vault seems like a sane thing to do... Also it's fewer places that can leak your "master" password... Ie. only lastpass has your master password, so it's only if they get compromised that it is leaked.. .And they hopefully hash passwords properly... Can't say I believe every other random site hashes passwords correctly.

Also once the browser session is authenticated you shouldn't need to do lastpass again, right?... So you type your master password fewer times.

Honestly, I've been planning to move to password manageing system... like lastpass. It doesn't magically fix all attack vectors, but reduces a lot.

^ This. I have 2FA on my email and on lastpass. Email and LastPass both have separate passwords. I also have 2FA on the banks I care about. I also receive instant text/email about significant transactions.

Every site has its own, extremely complex unique password. Most of the sites I really care about also require email confirmation of any security-significant changes.

So to really do anything with my accounts, you need all of my lastpass passwords, my 2FA for email, my email password, and you have to do it

Re:

[Walter White]

I also click on the lastpass icon to login... not sure how anyone could fake the login modal coming out of the extension like that. I'm guessing this doesn't apply to me because I'd hit cancel and go to my normal method.

How hard would it be for an attacker to disable LastPass and replace it with a pixel perfect look alike?

I suppose the way to defeat that would be to always type the wrong password on the first try and if the password manager appears to accept it, stop trying! Unless the fake password manager is able to use the entered password to try to unlock the database in which case I cannot see a way to detect a fake LastPass.

Re:

[bhiestand]

I also click on the lastpass icon to login... not sure how anyone could fake the login modal coming out of the extension like that. I'm guessing this doesn't apply to me because I'd hit cancel and go to my normal method.

How hard would it be for an attacker to disable LastPass and replace it with a pixel perfect look alike?

That is a good point. I suppose we are relying on Chrome's security to prevent an attacker from completely replacing the extension itself.

Obviously, mimicking its icon and dialog window would be easy enough.

Then again, if they can do that on my machine they can probably already read passwords from memory or keyboard input? So now I'm just relying on my 2FA

Re:

[The-Ixian]

This is why any good password manager has a mouse click keyboard option when entering the master password.

In addition to this, the PW manager I use, RoboForm, uses a different password (not my master password) to sync to the cloud. Although, by default, the RF settings allow either password to be used for syncing, you can disable this option for added security.

This means that, worst case scenario, I lose control of my master password, the attacker still cannot pull down my encrypted password files from the

Re:

[The-Ixian]

The TFA explains that the problem is actually 2 fold:

1. All authentication dialogs are done (in Chrome) by injecting content into the HTTP stream
2. There is a mechanism by which an arbitrary web site can log you out of your LP session

So, these two problems combine to make a situation where an attacker can easily replicate a pixel-perfect duplicate of a LP authentication window AND this is something that apparently LP users expect from time-to-time.

Locally hosted password manager?

[n0creativity]

Anyone know if there is a password manager similar to LastPass, but that you host and can run on your internal network only? My predecessor was clearly in love with lastpass and currently, every key to my IT kingdom exists on there, which I'm not entirely too fond of, especially now. It is kinda nice, but for my situation, I have absolutely no reason for it to be publicly accessible. I would love to run something like this on my own linux VM, hidden behind the safety of my firewall and my management VLAN.

Re:

[Anonymous Coward]

Bruce Schneier recommends https://pwsafe.org/ (because he designed it...).

I like it too.

Re:

[Todd Knarr]

I use PWSafe combined with an OwnCloud instance for sync. Devices have their own local copy of the database plus access to the OwnCloud copy, so I can handle even complicated cases of multiple conflicting updates from multiple devices (I usually do changes on a PC and the "master" gets uploaded to OwnCloud automatically, but devices can either change the OwnCloud copy and those changes get merged into the "master" or they can change their local copy and upload that to OwnCloud for merging into the master ma

Re:

[mspohr]

Keepass works on Windows, Mac, Linux, Android, iOS.
It's not as "convenient" as LastPass but it's also less vulnerable to this kind of attack.

Re:

[arth1]

Switching to 2 form factor will elevate any issues here

That word you use. I do not think that it means what you think it means.
However, it is appropriate.

Use last pass with 2 factor authentication and these issues go away

No, they won't. From the very first paragraph of TFA:

The subsequent login page and the two-factor authentication code, if enabled, are also displayed in the same way.

Lastpass puts the 2FA dialogue in the browser too, which is incredibly stupid, because then that can be intercepted too. The attacker can send both the correct password and the correct 2FA response from you to the lastpass site.

KeePass

[dejitaru]

Something about 'online' password managers really irks me. I've tried lastpass before but didn't really trust it and the plugins became more annoying than useful. So, I switched to keepass and just sync that file on my cloud storage. It's much easier to manage imo and I can use it both on my android and my computer for free.

Re:

[zippthorne]

I always assumed (based on the name only), that lastpass wasn't a database, but a {printable characters} encoded hash of the domain & master password. I'm somewhat disappointed that that isn't what they're using.

Password complexity rules vary

[tepples]

The problem with regenerating a hash every time you choose to log in to a particular site is that sites' minimum and maximum length and complexity for user passwords varies so widely. It would have to store the length, set of permitted characters, and set of required characters for each site.

Re:

[zippthorne]

But you wouldn't have to send it to a third party.

We did this in 1975 on a Burroughs B5500 Timeshare

[Wheels17]

I laughed when I went to his page and saw the description of the attack. We were timesharing on a B5500 at a major university and found the way to find active but un-logged in terminals and take control. When the login sequence was keyed in, we'd pop up a page identical to the proper login screen and ask for credentials. We'd write to a file, post the proper user ID but a wrong password to the system, and disconnect. The system would reply with the standard wrong password prompt, and the user would fig

Re:

[l0n3s0m3phr34k]

If you have physical access to the terminal, eventually you can come up with a system to defeat almost all security.

Re:

[ray-auch]

Physical access was not actually (definitely) implied.

We did similar in late 80s on unix / X-Windows boxen - the uni had set them up with a nifty graphical login because command line was so-last-year, but no security (standard in those days) on the X display connections. All you needed was a program that showed the same password prompt window and grabbed the username/pw. Even when display security was added it was bodged so any "local" process could connect to :0, and anyone could remote into any workstat

Re:

[l0n3s0m3phr34k]

" but seems as an industry as a whole, we never learn and the old tricks still work" too true; I blame the PHB who want stock dividends and profits over long-term security and see IT as a money sink that the newest buzz words will magically fix.

Re:

[Wheels17]

This was entirely software-based. We didn't need physical access to the terminals. There was a pre-processor unit that multiplexed the terminals to a machine that was basically designed to be a batch-processing machine. This is where we were able to intercept the session.

Re:

[l0n3s0m3phr34k]

Ah. I did something similar in the early 90's when my high school got their first LAN. You could control-break out of the login script and get dropped into a prompt that had read access to the login paths. Re-wrote the script to "error out" and prompt for the teachers login again and wrote it to the local drive...it was only a matter of time before we had multiple credentials. We found the software they had bought also came with an internal BBS / posting board that they never implemented...much fun was had

Re:

[R3d M3rcury]

I'm pretty sure they're not the same, but I'll admit I had the same thought. [youtube.com]

LastPass's Response

[hawkeey]

Here's the response from LastPass:
https://lastpass.com/support.p... [lastpass.com]
(I think this link should be in the main summary for balance)

As for Google Chrome, LastPass asks that you star Issue 39511 for extension infobars outside the DOM. Specifically here's LastPass asking for improvement in Chrome January 12th, 2012:
https://code.google.com/p/chro... [google.com]

I am NOT affiliated with LastPass.

Re:

[hawkeey]

Also here's a link to Sean Cassidy's Twitter account: https://twitter.com/sean_a_cas... [twitter.com]

https://twitter.com/sean_a_cas... [twitter.com]
"LastPass now requires email confirmation for logins from new IPs, even with 2FA: https://lastpass.com/support.p... [lastpass.com]"

Does that mean the 2FA issue is addressed?

LastPass have responded:

[EnglishTim]

https://lastpass.com/support.p... [lastpass.com]

It seems they've turned on email confirmation even for users with 2FA, along with a couple of other in-browser measures.

Re:

[Anonymous Coward]

Everybody can write stupid comments, and nothing at all can stop them!

Re:

[Behrooz Amoozad]

RTFA or even comments. It's not about user ignorance. there is no way for anyone to detect a pixel-perfect copy of a login page that has no URL.

Re:

[pacman on prozac]

I've used it for a while and only ever seen Lastpass ask for login details when the browser is first opened, not in the middle of a browsing session, so the timing of it would give away that it's a fake.

It's still a good attack, easy enough to have a quick brain fart and type creds into such a window.

There is an idle logout setting, if you need that enabled then would be more vulnerable to this as you would have login windows popping up during normal browsing.