LastPass customers might be at risk of A Phishing assault, Warns A safety skilled

users of password manager LastPass should beware of phishing makes an attempt that impersonate the program’s browser extension pop-united states of americato steal their passwords, warns safety expert Sean Cassidy.

Cassidy presented a proof-of-thought demonstration this week on the ShmooCon security convention, showing how malicious websites can generate in-browser pop-u.s.a.that mimic—in some circumstances, down to the individual pixels—LastPass’s login prompts.

“I was the use of LastPass, and that i was on some random site, and it popped up a notification that I had been logged out, and i went to go click the notification, as a result of it was just displayed on the high of the web page,” says Cassidy, who is the CTO of security firm Praesidio. “I clicked it, and then I tested that it used to be if truth be told LastPass, and then i thought, ‘you understand what? i will be able to do that same factor.'”

LastPass outlets login credentials for a couple of websites locked in the back of a single grasp password, so customers don’t have to memorize or write down particular person usernames and passwords. When visiting a site with credentials stored in LastPass and not logged in to the program, LastPass will generate an in-browser pop-up prompting the user to enter the LastPass password.

And because the pop-up is generated with the same kind of code used to construct web pages, there’s nothing to stop hackers from producing an identical-having a look suggested and stealing users’ LastPass passwords—potentially giving them access to each and every of the consumer’s other passwords, Cassidy says.

“the problem with most defenses for phishes is you teach your customers to say, this is what a phishing e mail seems like, don’t click on it,” he says. “however in this case, the phish is exactly the identical HTML and CSS, so there’s no technique to inform which is actual and which is fake.”

Cassidy says LastPass has told him they’re taking steps to make such phishing attacks tougher, which the corporate tested in an e mail to fast firm on Thursday.

“We did work directly with Sean Cassidy, and may verify this is a phishing assault, no longer a vulnerability in LastPass,” a company spokeswoman wrote. “however, we’ve released an update on the way to stop a person from being logged out by using the phishing device, thereby mitigating the danger of the phishing assault. as well as, LastPass has a constructed-in security alert to can help you be aware of when you’ve entered your master password right into a non-LastPass web type.”

Cassidy says he felt an duty to make the vulnerability recognized, in particular because it’s moderately simple to assemble a phishing attack in keeping with the issue, although he’s not aware of this type of assaults yet.

“not like an awfully advanced buffer overflow, or something that only some individuals would be aware of tips on how to make the most, as a substitute, anyone who knows HTML and CSS could take advantage of this, and little or no coding is involved,” he says.

He recommends that IT departments make certain their customers are aware about the issue and urge customers to at all times interact with LastPass by clicking on this system’s icon, somewhat than responding to its pop-ups—simply as users enthusiastic about phishing may navigate directly to a bank’s web page or app quite than clicking on emailed links.