Image: Intel Free Press/Flickr
Password managers are great, and using one on a daily basis is probably the number one thing you can do to lessen your chances of getting seriously owned. But that doesn't mean they're perfect, and small software flaws combined with good old-fashioned social engineering can go a long way.Case in point: Using a new phishing attack developed by security researcher Sean Cassidy, attackers could gain access to all passwords stored by a user of LastPass, including accounts protected by strong security measures like two-factor authentication—if users aren't careful about what they click.
"You don't [need to] have access to a LastPass user's machine," writes Cassidy in a blog post explaining the attack. "Instead, you trick the user into giving you their credentials."In an email sent to Motherboard, a LastPass representative confirmed the company worked with Cassidy to fix the issue after he reported it in November. But the company also dismissed the vulnerability as "a phishing attack, not a vulnerability in LastPass." The company says it has released an update that prevents users from being logged out by Cassidy's phishing tool, and also implemented "a built-in security alert to let you know when you've entered your master password into a non-LastPass web form."Cassidy disagrees that this puts the matter to rest. Since the security alert is sent through the browser's viewport, just like the logout message, an attacker-controlled website could easily detect when LastPass sends the alert and suppress it, he says."We as an industry do not respond to phishing attacks well," he writes. "In my view, it's just as bad, if not worse than, many remote code execution vulnerabilities, and should be treated as such."UPDATE, 01/18/2016, 11:14 am ET: LastPass has responded with a blog post detailing more changes it has made to defend against phishing attacks like Cassidy's. This notably includes sending verification emails whenever an account is logged into from an unrecognized location, even when 2-factor authentication is enabled. This would prevent an attacker who tricked a user into submitting their LastPass login credentials from being able to obtain their password file, unless the attacker also had access to their email.In an email sent to Motherboard, Cassidy says that the email confirmation step "mitigates most of the danger." But he also warns that the practice of sending notifications in the browser's viewport still makes it possible for users to be easily tricked."I still want them to stop putting notifications in the viewport, but they've been reluctant to do so," says Cassidy. "One of their other mitigations, telling you that you've typed in your master password into a field, actually resulted in another bug because they put the notification in the viewport."Additional reporting by Lorenzo Franceschi-Bicchierai