Every few months, someone comes out with a clever attack on LastPass. In January, for example, Sean Cassidy released his LostPass phishing attack that “allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.”
LostPass is a clever phishing attack. Essentially an attacker creates a fake notice that a user’s LastPass session has expired and asks them to log in. The fake version is visually identical to the actual notice LastPass uses, and even technical users would be unable to distinguish between the real notice and a phishing attempt.
LastPass responded by removing the button in its session expiration notices (so users will, presumably, be able to better distinguish fake versions which would need to have some sort of “login” button). LastPass also now requires users to go through an email-based process to approve logins from any previously unknown device or IP address.
LastPass also points the finger at Google, saying it identified these sorts of problems with the way Chrome displays notifications, but that its complaints fell on deaf ears,
A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.
It is good that people like Cassidy are out there looking for ways to get around LastPass’ security, and also good that LastPass generally responds to these sort of attacks much more quickly and effectively than a lot of companies. Every time a vulnerability in LastPass is found, people I know ask me whether they should still use LastPass, and my answer so far has always been “yes.”
So far the vulnerabilities that have been found in LastPass are of the sort that I still feel far more secure using it to manage my passwords than using some other password manager or (even worse) some other method for creating and managing the passwords to the dozens of services I have credentials for.