• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 22nd, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Cyber Crime
Phishing Scam

Bypassing LastPass’s Security? A phishing Attack Would Serve Just Right

January 18th, 2016 Ali Raza Cyber Attacks, Phishing Scam, Security 0 comments
Bypassing LastPass’s Security? A phishing Attack Would Serve Just Right
Share on FacebookShare on Twitter

LastPass Password Manager – renowned for being a secure vault for user’s passwords, has recently demonstrated vulnerabilities that could expose many users’ accounts.

A phishing technique can easily and literally do the trick: a little more than a combination between software flaws and social engineering. Security researcher Sean Cassidy, who developed the phishing attack, claims that a simple email could potentially bypass strong security measures in place, such as the two-factor authentication.

According to Cassidy, users can be tricked into submitting their LastPass master password and even their second-factor authentication code using lookalikes pop-up notifications in the browser.

bypassing-lastpasss-security-a-phishing-attack-would-serve-just-right

Gif Source: Giphy

The victim visits a malicious site that runs javascript code. The code visualizes a browser notification informing the user that has been logged out of its LastPass account. The notification is no different from those found on LastPass website and instructs users to enter their master password and – if that’s the case – the two-factor authentication code. The data can then be retrieved by the hacker who therefore has access to all the users’ passwords in the vault.

[fullsquaread][/fullsquaread]

Cassidy explained how LastPass is vulnerable to a cross-site request forgery, that is, any website is able to send a logout notification to the application. Cassidy also underlined how the use of a browser-based password manager, such as LastPass, that stores users’ passwords in the cloud is actually more dangerous than using even a simpler application that stores data on users’ local devices. Another vulnerability could be the encrypted backup of one’s password vault on the application’s server that LastPass recommends to its users: if, on one hand, this is convenient, on the other hand, it gives whoever possesses login credentials the access to a copy of the password file.

Cassidy reported the issue back in November and LastPass confirmed it worked with him to fix it. The company though tweaked the claim that there was a vulnerability in LastPass and stressed the fact that it was a phishing attack. The company then released an update to prevent users to be logged out and actually improved security measures so that you would be notified in case you’ve entered your master password into a non-LastPass form.

Cassidy disputes that this type of security alert that comes from LastPass itself could be detected by an hacker-controlled website and then stopped in order to render it useless. He also stresses how a phishing attack cannot be treated differently from a remote code execution vulnerability.

Means are different but the ends are the same in the majority of the cases: stealing people’s data. Therefore, a stronger focus should be put on defending users’ data at all costs.

  • Tags
  • hackers
  • hacking
  • javascript
  • Lastpass
  • Password
  • Phishing
  • Privacy
  • Securty
  • Vulnerbaility
Facebook Twitter LinkedIn Pinterest
Previous article Cryptsy Hacked: Bitcoin Worth $USD 6 Million Stolen
Next article Kickass Torrents The Latest Victim of DDoS Attacks
Ali Raza

Ali Raza

Ali Raza is a freelance journalist with extensive experience in marketing and management. His work has been featured in many major crypto and tech websites including Hacked, Hackread, ValueWalk, Cryptoslate, CCN, and Globlecoinreport to name a few. Raza is the co-founder of 5Gist.com, too, a site dedicated to educating people on 5G technology.

Related Posts
Gamarue malware found in UK Govt-funded laptops for homeschoolers

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Shazam Vulnerability exposed location of Android, iOS users

Shazam Vulnerability exposed location of Android, iOS users

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Gamarue malware found in UK Govt-funded laptops for homeschoolers
Security

Gamarue malware found in UK Govt-funded laptops for homeschoolers

16
Shazam Vulnerability exposed location of Android, iOS users
Security

Shazam Vulnerability exposed location of Android, iOS users

160
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet
Security

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

96

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us