News broke over the weekend about an approach to a phishing attack that could fool you into giving a hacker your LastPass credentials, even bypassing two-factor authentication. It’s not yet been seen in the wild, but code has been made available, so I’d expect it to start appearing.
Quick bottom line
If you get a message from LastPass that your session has timed out and you need to log in again, don’t. Instead, I recommend you close your browser, re-open your browser, and log in using the LastPass icon on the browser’s menu bar.
Become a Patron of Ask Leo! and go ad-free!
That password dialog may not be LastPass
Apparently, malicious code on a malicious website, or a website vulnerable to cross-site scripting, could allow a hacker to simulate the exact look and feel of the LastPass log-in dialog box on some browsers. You think you’re logging into LastPass as normal, but in fact you’re giving your credentials to a hacker.
While it might be overkill, closing your browser is probably the safest thing you can do. You’ve not been compromised at that point. The act of re-opening the browser and logging in using the browser’s LastPass icon guarantees you’re logging in safely. (It may be enough to simply ignore the message box that’s prompting for your password, and just log in again using the browser icon, but it’s cleaner to just restart the browser).
To be honest, it’s unclear just how big of a deal this really is, or whether recent changes to LastPass address the issue completely. But getting an unexpected request to re-login to LastPass is the sign to look for.
Before we panic
A couple of important points.
First, LastPass has not been hacked. This is different from, and unrelated to, any kind of hack. This is a potential phishing attack that fools you into turning over your master password.
Second, I’m not abandoning LastPass. I want to see how they respond. I have an email out to them right now. I’ll update this article if I get a response, and as more information becomes available.
In the meantime, just be extra careful when logging in to your LastPass account. Avoid using anything that pops up in your browser window; instead, always use the ever-present LastPass icon in your browser’s toolbar.
It’s what I’m doing.
Update
Update 19-Jan-2016: Lastpass issued a response: I read that LastPass is vulnerable to phishing attacks – should I be concerned?
Short version: the issue should be addressed. In general, two-factor authentication protects you well. They discuss the vulnerability completely, and have indeed made one tweak to their processes relating to two-factor that patches one hole.
My take: a good, responsible response. I feel better. As I expected I would.
Thanks Leo. Over the last two or three months I’ve been asked to log into my Lastpass account at various times. Of course the same is true of logging back into my Microsoft account. I always use Lastpass but seldom use the MS account. I’m using Win 10 and since they seem to be having a continued problem syncing each of my email accounts I just don’t go there. Thank you for adding again an additional layer of safety for all of out here.
thanks leo good information. i probably would of went ahead and signed in
You refer to “the ever-present LastPass icon in your browser’s toolbar”, but that only goes for users who have installed the plugin. I haven’t, at least not yet, so I always log into LastPass via their website address, http://www.lastpass.com
I run NoScript to prevent JavaScript on non-trusted sites. Does this prevent this problem?
I’m not deep enough in the details to know for certain. I would not count on it.
Maybe not totaly, but it should at least greatly lessen it.
It can’t protect you if a trusted site have been compromised.
After the last Lastpass update, when you open the browser there is no icon. When you enable Lastpass the icon appears colored without having to enter any password. This happens every time you close and reopen the browser. I wonder every time this happens if this is as it should be. Any random user of this computer could do the same thing without knowing any passwords.
Do you have “Automatically log off when all browsers are closed for {number of minutes}” checked? It might have somehow got deselected. I use LastPass on several devices, and all of my portable devices log off and turn the icon gray. I have this box unchecked on my desktop so that I don’t have to log on each time and it behaves as you describe, but in my case by choice..
Thanks. I hoped there was a solution
You don’t have an auto-reprompt configured. My desktop installation works like this on purpose. My laptop is set to require a reprompt after some period of inactivity. (It auto-logs out.)
Thus if I get the “timed out” message on my desktop – where I have it configured never to time out – I know something’s up. :-)
Thank you so much for bringing this to our attention. You really have your subscribers’ backs!
After I started to use Lastpass, the amount of spam shot up dramatically to often 10 per day, when before I would barely receive 1 in a week. This happened only in my gmail account and not in any other accounts. It was the gmail account that was used with Lastpass.
I don’t believe there is a connection between LastPass and the amount of spam you’ve been receiving. It’s probably coincidental.
I have never ever heard or experienced any relationship between Lastpass and spam.
…. or a website vulnerable to cross-site scripting ….
What is “cross-site scripting”? I see it all the time at the top of eBay pages.
Should I be concerned?
Thanks Leo, another great article.
In simple terms, it’s a vulnerability in a website that allows somebody to insert malicious code that’s potentially harmful to the PCs of other people who view that website. An example would be: somebody includes malicious code in a comment to one of the posts here at AskLeo and that code then causes something bad to happen to the PCs of people who view the post. To be clear, I’m just using AskLeo as an example and I’m not suggesting that the website has any vulnerabilities that would allow an attacker to do this!
So even if they got your password, it would have to be impossible to get past your 2nd factor authentication, right?
I might add that I have noticed that when ever I add a new device or pc that I get an instant warning on my other computers alerting me and asking for my approval.
Right.
Yep. That’s kinda the point of two factor.
Now for some good news. When I went to the LastPass login in Chrome, there was an update to LastPass 4.0 with a completely new look for the login and the vault. Using that it would make it difficult to be fooled by the phishing page (or at least until the hackers duplicate that look). Here is the latest from LastPass on the subject:
https://lastpass.com/support.php?cmd=showfaq&id=10072
They’ve strengthened their 2 factor authentication to no longer bypass the second factor on known devices, so 2 factor authentication can be a safeguard against this phishing exploit.
Howdy Leo!
I had received a message from Lastpass telling me about an update that was from “mailed-by: mandrillapp.com” in the e-mail header (received several weeks ago – I was traveling, didn’t read until tonight) and then when I attempted to login by way of the icon on Firefox, I was told my password was incorrect. Now I attempted to get the prompt for my password and I find this in the e-mail address: “mailed-by: lastpass.com”. Any hints on this?
Thanks!
Michael
I’m not sure I follow exactly what’s happened here. Looks like mandrillapp is a legit mailing service used by some applications, but whether lastpass uses it I can’t say.