Add to Chrome.
Click 'Add extension' above.
The installation process should take less than a minute.
Next, you'll Create an Account.
I read that LastPass is vulnerable to phishing attacks - should I be concerned?
Phishing has long been a popular tactic for trying to steal valuable information from users. On Saturday, January 16, security researcher Sean Cassidy gave a presentation at hacker convention Shmoocon demonstrating a phishing attack against LastPass. In this attack, a user is directed to a malicious website, and the page generates a notification that looks like a LastPass notification. The fake notification tricks the user into thinking they were logged out of LastPass, then directs them to login again by entering their master password, and their two-factor authentication data if they have it turned on. Although this is not a vulnerability in LastPass, we have outlined some steps below that will mitigate the risk of this and future phishing attacks.
How LastPass protects you from phishing attacks:
Preventing logout: The first line of defense that LastPass has introduced is preventing the malicious page from actually logging the user out of LastPass. Even though the malicious page shows a fake LastPass notification saying the user has been logged out and needs to login again, the user can see that the LastPass extension itself in their browser toolbar is still logged in.
What if the user misses that they’re still logged in to LastPass and clicks on the fake LastPass notification to login again?
Warning that the master password was entered on a non-LastPass page: LastPass will detect if the user enters their master password on a non-LastPass page and pops a strong warning, even before the user submits it to the page.* The user will know immediately that their master password may have been compromised and can change it.
But what if the malicious page suppresses that warning from LastPass, so the user still enters their master password, and potentially their two-factor authentication data?
Requiring verification for logins from unknown locations or devices: LastPass has a verification process that is required whenever a user attempts to login from an unknown location or device. Cassidy claims in his research that it is possible for the malicious page to suppress any messages LastPass tries to show in the viewport, thereby potentially preventing the user from seeing the above master password warning. So if the user does not see the warning, and still enters their master password and their two-factor data, the attacker could then attempt to remotely login to their LastPass account. However, upon attempting to login, they would be unable to gain access to the account without also completing the email verification steps. This requires access to the user’s email address (or security email address, if enabled for their LastPass account) to approve the new location or device.
The verification process significantly reduces the threat of this phishing attack. The attacker would need to gain access to the user’s email account as well, which could also be mitigated by two-factor authentication for their email account. Should a user see a verification request that they did not initiate, they can safely ignore it. Out of caution, we recommend updating the master password as well in the LastPass Vault by launching Account Settings and entering a new master password, then saving your changes.
Requiring verification even for accounts with two-factor authentication: Previously, LastPass allowed users with two-factor authentication turned on to bypass the verification process, as they already had additional protection enabled for their account. We have now changed the default so that all users, even those with two-factor authentication, will be directed to the verification process when logging in from unknown devices or locations.
Warning against master password reuse: LastPass also alerts users when it detects that their master password is being used as a password for other websites. LastPass performs this check locally, on the user’s device, so the master password is never sent to LastPass and no sensitive information is disclosed to LastPass. The user is then advised to update their passwords and to be careful to never reuse their master password.
Revisiting our notification approach: To date, LastPass has relied on the viewport for notifications. This is the area below the tab bar and URL address bar, where web pages normally appear in the browser. LastPass has significant measures in place to protect our usage of viewports using iframes, but our team is working to release additional notification options that bypass the viewport and therefore eliminate the risk that it presents in phishing attacks.
Looking to the browser for better protection:
A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.
We hope that future improvements to the browser will help us go even further to protect users from these types of attacks. In lieu of that possibility right now, though, we have taken other steps to strengthen LastPass.
*LastPass never knows or has your master password. This security check is performed locally on your device without revealing any sensitive data to LastPass.