LastPass vulnerable to simple phishing attack

Security researcher Sean Cassidy has developed a simple attack against the LastPass password management service, and published the code on Github.

Cassidy said he discovered a phishing attack against LastPass that allows an attacker to steal a LastPass user’s email, password, and two-factor authentication code.

This will give the attacker full access to all the victim’s passwords and documents stored in LastPass.

“I call this attack LostPass,” said Cassidy. “LostPass works because LastPass displays messages in the browser that attackers can fake.”

“Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and login screen.”

More on security

LastPass hacked – you need to change your master password

Beware of these tricks criminals use to steal your money through online banking

Top Internet attack traffic revealed

Latest news

Partner Content

Show comments

Recommended

Share this article
LastPass vulnerable to simple phishing attack