News broke over the weekend about an approach to a phishing attack that could fool you into giving a hacker your LastPass credentials, even bypassing two-factor authentication. It’s not yet been seen in the wild, but code has been made available, so I’d expect it to start appearing.
Quick bottom line
If you get a message from LastPass that your session has timed out and you need to log in again, don’t. Instead, I recommend you close your browser, re-open your browser, and log in using the LastPass icon on the browser’s menu bar.
That password dialog may not be LastPass
Apparently, malicious code on a malicious website, or a website vulnerable to cross-site scripting, could allow a hacker to simulate the exact look and feel of the LastPass log-in dialog box on some browsers. You think you’re logging into LastPass as normal, but in fact you’re giving your credentials to a hacker.
While it might be overkill, closing your browser is probably the safest thing you can do. You’ve not been compromised at that point. The act of re-opening the browser and logging in using the browser’s LastPass icon guarantees you’re logging in safely. (It may be enough to simply ignore the message box that’s prompting for your password, and just log in again using the browser icon, but it’s cleaner to just restart the browser).
To be honest, it’s unclear just how big of a deal this really is, or whether recent changes to LastPass address the issue completely. But getting an unexpected request to re-login to LastPass is the sign to look for.
Before we panic
A couple of important points.
First, LastPass has not been hacked. This is different from, and unrelated to, any kind of hack. This is a potential phishing attack that fools you into turning over your master password.
Second, I’m not abandoning LastPass. I want to see how they respond. I have an email out to them right now. I’ll update this article if I get a response, and as more information becomes available.
In the meantime, just be extra careful when logging in to your LastPass account. Avoid using anything that pops up in your browser window; instead, always use the ever-present LastPass icon in your browser’s toolbar.
It’s what I’m doing.
Update 19-Jan-2016: Lastpass issued a response: I read that LastPass is vulnerable to phishing attacks – should I be concerned?
Short version: the issue should be addressed. In general, two-factor authentication protects you well. They discuss the vulnerability completely, and have indeed made one tweak to their processes relating to two-factor that patches one hole.
My take: a good, responsible response. I feel better. As I expected I would.