LastPass flaw article

[Soulbound]

Came across this article while searching for something totally unrelated.

For password manager users, have a read.

Part of article:

it is revealed that this password manager is at risk of a nasty phishing vulnerability. The author, Sean Cassidy, has published details about what he has dubbed 'LostPass'.


"I have discovered a phishing attack against LastPass that allows an attacker to steal a LastPass user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. I call this attack LostPass. The code is available via Github. LostPass works because LastPass displays messages in the browser that attackers can fake. Users can't tell the difference between a fake LostPass message and the real thing because there is no difference. It's pixel-for-pixel the same notification and login screen", says Sean Cassidy, CTO, Praesidio.

Cassidy further explains, "a few months ago, LastPass displayed a message on my browser that my session had expired and I needed to log in again. I hadn't used LastPass in a few hours, and hadn't done anything that would have caused me to be logged out. When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification".

Full article:
LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk

 

[DracusNarcrym]

Never been fond of LastPass, however such exploits are actually... rather expected, for web-based applications.
As I said, never being intrigued by LastPass, I have been using KeePass. It sure also must have its weaknesses, but the fact that it's offline is a plus and it adds to the overall security for storing passwords.

Anyway, if this is security flaw is as serious as the author suggests, then I'm pretty sure the LastPass developers are bound to prepare and push out patches to address it sooner or later, if they haven't done it already. They were pretty frantic about a "breach" in their servers in their past, even though it didn't result in the compromise of any users' credentials.
This case however, seems to be of much more critical nature, since, as described in the author, it is quite possible for the phishing attack to be carried out successfully.

 

[Soulbound]

I personally am not a fan of password manager, be it offline or online.

Do I use easy passwords, no. How can I remember all of them? Have my own method and they are all related one way or another. Do I use the same password twice? No.

In the event I do forget a password, forgot password feature is there to help save the day. Plus, I am old school: notebook + pen.

 

[DracusNarcrym]

Plus, I am old school: notebook + pen.

Likewise. Password keepers simply make many things more convenient in case you have to manage many tens of passwords, copy pasting details is much smoother and secure. (also much more preferred you save passwords in password keepers than built-in browser password managers)

I too have my most important passwords (e.g. primary e-mails) written down in organized post it notes plus a classic spiral notebook.
Though it is rather annoying to take down 64 character passwords, the most important ones are worth keeping a physical record of.

 

[illumination]

I keep my most important passwords stored right where they should be, in my mind The rest i utilize password managers for as there are many.. I did how ever ditch lastpass, as it has had a few issues since 2011 that leave little to be desired.

 

[Deleted member 178]

According to Mr. Cassidy, the only thing attackers need to do is to reroute users to a legitimate website that's vulnerable to XSS (cross-site scripting) attacks.

use Netcraft addon and you are protected from XSS attacks.

 

[CMLew]

Luckily I ditch Lastpass. In fact I'm going to ditch Sticky Password too. My brain cells should be enough to store and recall those passwords and username till 55

 

[Azure]

LastPass answers

LastPass - I read that LastPass is vulnerable to phishing attacks - should I be concerned?

 

[Soulbound]

LastPass answers

LastPass - I read that LastPass is vulnerable to phishing attacks - should I be concerned?

I suppose most LastPass users have already converted to another solution instead of waiting for a response. Either way, I would assume the ones who want online services, will probably stick to LastPass, although it has proven that once news go out in the wild, its reputation is severely damaged and will be hard to recover (see Iobit, McAfee and so forth). Those who prefer offline methods, will use another solution instead.

One thing that always troubles me is: there is always someone to blame for a short coming. In this case Google for its viewport notifications.

 

[Deleted member 178]

i dont think it is a so much serious threat if you are prepared, to frame you the attackers need to reroute you then XXS Attack you. Awared users will find the counter-measures.

im sticking to Lastpass, it is the only one that gives free Sync.

 

[Kantry123]

i dont think it is a so much serious threat if you are prepared, to frame you the attackers need to reroute you then XXS Attack you. Awared users will find the counter-measures.

im sticking to Lastpass, it is the only one that gives free Sync.

Exactly we need to worry about these when we are using OPEN hotspots but if we are using at HOME/OFFICE this is the only extn with FREE sync ,Unlimited pass storages etc!

also if anybody feels LASTPASS has some attacks or INSECURE use the option 2-STEP verification that will help u in securing ur account!!

regards

 

[frogboy]

I will also be sticking with LastPass for the time being.

 

[LabZero]

I think that not everyone will agree with me, but personally I don't trust any password manager to store very important password.
If a password manager becomes the target of a strong attack nothing is inviolate and nothing is safe, it is only a matter of time.
The best way is, as said above, the old school: "keep in mind", paper & pen and offline storage.

 

[frogboy]

I think that not everyone will agree with me, but personally I don't trust any password manager to store very important password.
If a password manager becomes the target of a strong attack nothing is inviolate and nothing is safe, it is only a matter of time.
The best way is, as said above, the old school: "keep in mind", paper & pen and offline storage.

For the first time we do not agree, and i am sure in the future i will be sure to be judged wrong but i will take the chance on it for the time being. I am lazy sums it up well.

 

[Soulbound]

One can always keep passwords on a txt file. I have a backup txt file with links and its user names just not passwords. Backed up on my hdds and one drive. A similar thing is done for active license keys since I maintain 3 systems in my house hold

 

[Atlas147]

Phishing attacks are prone to happen no matter what service you use, it could be lastpass or facebook or even this forum, but that doesn't stop you from using the services and this news shouldn't come as a surprise. If you are vigilant enough you'll be able to catch the attack before you fall for it. This article points to you exactly what you should be looking for so the only way to "patch" this is to keep your eyes wide open!