A new phishing attack on LastPass, dubbed "LostPass," can override two-step verification.
Potential for a serious hack has been revealed which jeopardizes LastPass user credentials, and can even override two-step verification. The attack has been dubbed "LostPass" by cybersecurity researcher Sean Cassidy. According to Cassidy, LostPass "allows an attacker to steal a LastPass user's email, password, and even two-factor authentication code, giving full access to all passwords and documents stored in LastPass." In standard phishing behavior, the attack mimics the login page of LastPass to get users to enter their credentials into a faulty submission box. To make the attack more convincing, LostPass makes it look like a user has logged out of LastPass, and needs to re-enter their login information.
For the LostPass code to deploy, users need to visit a malicious website (or even one that is simply vulnerable to XSS). According to Cassidy, the attack is most convincing for users operating the Chrome browser. Although LastPass has defended itself and its security prowess, the company has now bolstered security in response, requiring all users to approve devices through their registered emails. "A point that was only briefly raised in Cassidy's research was the role that the browser itself plays in this attack," said the company. "LastPass has encouraged Google for years to provide a way to avoid using the browser viewpoint for verifications.... in lieu of that possibility right now though, we have taken other steps to strengthen LastPass."
Photo: © iStock.