January 16th 2016 By Steve Ragan
http://images.techhive.com/images/article/2016/01/password_enter-100637310-primary.idge.jpg
Washington, D.C. - At ShmooCon on Saturday, Sean Cassidy, the CTO of Praesidio, demonstrated a clever attack against LastPass, which is possible thanks to a security trade off and easily spoofed UX elements.
Cassidy’s presentation at ShmooCon on Saturday morning outlined a clever Phishing attack against LastPass users, which is made possible due to design elements within the password manager’s core functions.
The attack, which doesn’t require any special skill or circumstance to accomplish, enables an attacker to steal a LastPass customer’s entire existence, as everything stored by the LastPass service is exposed.
Full Article
ShmooCon: LastPass design elements create perfect Phishing opportunity
Userlevel 7
+54
Userlevel 7
+54
by Michael Mimoso January 18, 2016
LastPass has taken measures to mitigate a phishing attack described this weekend at ShmooCon that put at risk users’ credentials and information stored by the password manager.
Researcher Sean Cassidy, chief technology officer of cloud security company Praesidio, demonstrated an attack where he was able to recreate a LastPass login page, pixel-for-pixel as he said. Cassidy’s LostPass attack starts with a phishing email redirecting a victim to a hacker’s page hosting the phony login. The hacker’s notification page tells the user they’ve been logged out of LastPass and convinces them to enter their password, two-factor authentication information and more. With the user’s credentials, an attacker could have access to the victim’s passwords and any documents stored in LastPass.
Full Article
LastPass has taken measures to mitigate a phishing attack described this weekend at ShmooCon that put at risk users’ credentials and information stored by the password manager.
Researcher Sean Cassidy, chief technology officer of cloud security company Praesidio, demonstrated an attack where he was able to recreate a LastPass login page, pixel-for-pixel as he said. Cassidy’s LostPass attack starts with a phishing email redirecting a victim to a hacker’s page hosting the phony login. The hacker’s notification page tells the user they’ve been logged out of LastPass and convinces them to enter their password, two-factor authentication information and more. With the user’s credentials, an attacker could have access to the victim’s passwords and any documents stored in LastPass.
Full Article
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.