At ShmooCon on Saturday, Sean Cassidy, the CTO of Praesidio, demonstrated a clever attack against LastPass, which is possible thanks to a security trade off and easily spoofed UX elements.
Cassidy’s presentation at ShmooCon outlined a clever Phishing attack against LastPass users, which is made possible due to design elements within the password manager’s core functions. The attack, which doesn’t require any special skill or circumstance to accomplish, enables an attacker to steal a LastPass customer’s entire existence, as everything stored by the LastPass service is exposed.Read more
A series of flaws, bad security practices and design issues exposed the passwords of LastPass users to various types of attacks, researchers have demonstrated.
LastPass is a popular single-sign-on and password management service that is reportedly used by more than 10,000 organizations. LastPass says it has no access to user data and boasts features such as local and secure encryption, secure encryption keys, and secure storage. LastPass’ features and design should in theory make it difficult for an unauthorized party to gain access to passwords, whether they are trying to obtain the information from the user or from the company’s systems.Read more