HITBGSEC

LastPass phishing attack could have scooped up passwords

http://core0.staticworld.net/images/idgnsImport/2015/08/id-2957383-castle-538722-100600887-large.jpg

A relatively simple phishing attack could be used to compromise the widely used password manager LastPass, according to new research.

Notifications displayed by LastPass version 4.0 in a browser window can be spoofed, tricking people into divulging their login credentials and even snatching a one-time passcode, according to Sean Cassidy, who gave a presentation at the Shmoocon conference on Saturday.

Cassidy, who is CTO of Praesido Inc., notified LastPass of the issues. In a blog post, LastPass said it has made improvements that should make such an attack harder to pull off without a user knowing.

Tags: