LastPass hacked; security compromised for good

LastPass password manager had its security compromised by two white hackers in two days — It turned out sometimes it’s good to be hacked by good hackers!

Mathias Karlsson, an IT security researcher recently breached the security of popular password managers LastPass and reported the issue to the firm.

It all happened when Karlsson noticed LastPass has added HTML code on their website and upon further digging, he found out a serious bug allowing him to extract passwords stored in the autofill feature. In a blog post, Karlsson revealed that the bug was in the URL parsing.

“First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials. However, the URL parsing code was flawed, stated Karlsson.”

Further, Karlsson tested the bug on http://avlidienbrunn.se/@twitter.com/@hehe.php and found that the browser would display the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurrence of @, the actual domain is treated as the username portion of the URL.

Karlsson also shared a screenshot he took from the avlidienbrunn.se domain which displayed Titter credentials in the clear-text form:

Must Read: Top 15 Cyber Attacks and Security Breaches in 2015

Lastpass-hacked-again

Good news is that Karlsson reported the issue to LastPass who fixed the flaw immediately and paid him a sum of $1000.

Second case of LastPass hack: 

In another case, Tavis Ormandy, a Google Security Team researcher exposed a message-hijacking bug that affected the LastPass Firefox addon. To take advantage of this bug the attack had to lure a LastPass user to visit another site and then execute the LastPass actions in the background without the user’s knowledge, such as deleting items. This was possible if the victim fell for a phishing scam that basically redirects users to a fake page, however, good news is that LastPass has issued a security advisory urging FireFox users to update the 4.0 version to the latest one.

History of LastPass security breaches: 

This is not the first time nor will it will be the last time when LastPass has faced security issue, this is the Internet and 100% security is a myth however in the past; researcher demonstrated how attackers can hack LastPass users through a phishing scam. In June 2015, LastPass admitted its database comprising of email addresses, server per user salts, password reminders and authentication hashes were hacked.

Related  10 Crucial Security Tips to Reduce Data Loss in Microsoft Office 365

Must Read: How to secure your cyber infrastructure from threats like ransomware?

Warning:

Whether you are a LastPass user or not, keep in mind never to click an unknown link as it can lead to a phishing scam
NEVER use the same password for other accounts
Use 2 two factor authentication
Use a strong password!

SourceLastPass
 

Written by Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.