A simple tool released on Github by security researcher Sean Cassidy can steal the login details and two-factor authentication key for the popular LastPass password manager, The Register is reporting. The tool allows hackers to mimic the look and feel of the LastPass browser plugin and site, and uses the same browser pop-up boxes or banners used by the password manager to request a user’s password and two-factor authentication key, explains the source.
Cassidy, the chief technology officer for Praesidio, who presented the attack at the hacker convention ShmooCon in Washington, said, “I call this attack LostPass. LostPass works because LastPass displays messages in the browser that attackers can fake.” Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. “It’s pixel-for-pixel the same notification and login screen”, he added.
“I am publishing this [phishing] tool so that companies can pen-test themselves to make an informed decision about this attack and respond appropriately.” Attackers could block warning prompts that LastPass would normally throw in the event their vault master password is entered anywhere but the official website.
As of today, all LastPass users who set two factor authentication will need to go to their registered email accounts to approve the device they are using to sign into LastPass.
In June last year, LastPass had announced officially that its servers were hacked in which a significant number of LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.