LastPass mitigates phishing flaw in its password management software

Cybersecurity threats CSC Blogs

Even as many online services and enterprises have come to embrace stronger authentication, the password still remains the primary key to most online kingdoms. With that in mind, it’s unfortunate that an all-too easy phishing attack made it possible to crack  the widely used password manager LastPass.

Prior to publicly disclosing the flaw, Sean Cassidy, the CTO at cybersecurity firm Praesidio, warned LastPass of the vulnerability that made it possible to (in version 4.0) spoof the app and fool targeted victims into revealing their usernames and passwords. A presentation was given by Cassidy at a security conference in Washington D.C. on January 16.

In response, LastPass contends that it’s a browser vulnerability and not technically a vulnerability within LastPass itself:

“Phishing has long been a popular tactic for trying to steal valuable information from users. On Saturday, January 16, security researcher Sean Cassidy gave a presentation at hacker convention Shmoocon demonstrating a phishing attack against LastPass. In this attack, a user is directed to a malicious website, and the page generates a notification that looks like a LastPass notification. The fake notification tricks the user into thinking they were logged out of LastPass, then directs them to login again by entering their master password, and their two-factor authentication data if they have it turned on. Although this is not a vulnerability in LastPass, we have outlined some steps below that will mitigate the risk of this and future phishing attacks.”

Because LastPass relies on the security and actions of the browser and permits this activity in its application flow, I disagree. In the company’s blog, LastPass claims to have made updates that hopefully will raise the difficulty for attackers to pull off the attack without users knowing something is awry.

Cassidy’s proof-of-concept attack, which he dubbed LostPass, was published on Github. And in an update to that post, following LastPass’s mitigation measures, Cassidy wrote that LastPass “now requires email confirmation for all logins from new IPs. This substantially mitigates LostPass, but does not eliminate it.”

The takeaway for enterprises is to educate employees about the importance of using various passwords, rather than using the same password(s) repeatedly, as many do. That way, if one is comprised, there is no single key to the kingdom. Also, keep educating staff about phishing attacks. And if it makes sense, incorporate two-factor authentication in your apps and services.

Be careful out there, everyone, even when using password managers.

 

RELATED LINKS

7 simple steps to secure your cloud data

How IoT is changing enterprise cybersecurity

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: