Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Possible LastPass Phishing Vulnerability

News broke over the weekend about an approach to a phishing attack that could fool you into giving a hacker your LastPass credentials, even bypassing two-factor authentication. It’s not yet been seen in the wild, but code has been made available, so I’d expect it to start appearing.

Quick bottom line

If you get a message from LastPass that your session has timed out and you need to log in again, don’t. Instead, I recommend you close your browser, re-open your browser, and log in using the LastPass icon on the browser’s menu bar.

Become a Patron of Ask Leo! and go ad-free!

That password dialog may not be LastPass

Apparently, malicious code on a malicious website, or a website vulnerable to cross-site scripting, could allow a hacker to simulate the exact look and feel of the LastPass log-in dialog box on some browsers. You think you’re logging into LastPass as normal, but in fact you’re giving your credentials to a hacker.

While it might be overkill, closing your browser is probably the safest thing you can do. You’ve not been compromised at that point. The act of re-opening the browser and logging in using the browser’s LastPass icon guarantees you’re logging in safely. (It may be enough to simply ignore the message box that’s prompting for your password, and just log in again using the browser icon, but it’s cleaner to just restart the browser).

LastPass Master LoginTo be honest, it’s unclear just how big of a deal this really is, or whether recent changes to LastPass address the issue completely. But getting an unexpected request to re-login to LastPass is the sign to look for.

Before we panic

A couple of important points.

First, LastPass has not been hacked. This is different from, and unrelated to, any kind of hack. This is a potential phishing attack that fools you into turning over your master password.

Second, I’m not abandoning LastPass. I want to see how they respond. I have an email out to them right now. I’ll update this article if I get a response, and as more information becomes available.

In the meantime, just be extra careful when logging in to your LastPass account. Avoid using anything that pops up in your browser window; instead, always use the ever-present LastPass icon in your browser’s toolbar.

It’s what I’m doing.

Update

Keep Calm and LastPass OnUpdate 19-Jan-2016: Lastpass issued a response: I read that LastPass is vulnerable to phishing attacks – should I be concerned?

Short version: the issue should be addressed. In general, two-factor authentication protects you well. They discuss the vulnerability completely, and have indeed made one tweak to their processes relating to two-factor that patches one hole.

My take: a good, responsible response. I feel better. As I expected I would.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

23 comments on “Possible LastPass Phishing Vulnerability”

  1. Thanks Leo. Over the last two or three months I’ve been asked to log into my Lastpass account at various times. Of course the same is true of logging back into my Microsoft account. I always use Lastpass but seldom use the MS account. I’m using Win 10 and since they seem to be having a continued problem syncing each of my email accounts I just don’t go there. Thank you for adding again an additional layer of safety for all of out here.

    Reply
  2. You refer to “the ever-present LastPass icon in your browser’s toolbar”, but that only goes for users who have installed the plugin. I haven’t, at least not yet, so I always log into LastPass via their website address, http://www.lastpass.com

    Reply
  3. After the last Lastpass update, when you open the browser there is no icon. When you enable Lastpass the icon appears colored without having to enter any password. This happens every time you close and reopen the browser. I wonder every time this happens if this is as it should be. Any random user of this computer could do the same thing without knowing any passwords.

    Reply
    • Do you have “Automatically log off when all browsers are closed for {number of minutes}” checked? It might have somehow got deselected. I use LastPass on several devices, and all of my portable devices log off and turn the icon gray. I have this box unchecked on my desktop so that I don’t have to log on each time and it behaves as you describe, but in my case by choice..

      Reply
    • You don’t have an auto-reprompt configured. My desktop installation works like this on purpose. My laptop is set to require a reprompt after some period of inactivity. (It auto-logs out.)

      Thus if I get the “timed out” message on my desktop – where I have it configured never to time out – I know something’s up. :-)

      Reply
  4. After I started to use Lastpass, the amount of spam shot up dramatically to often 10 per day, when before I would barely receive 1 in a week. This happened only in my gmail account and not in any other accounts. It was the gmail account that was used with Lastpass.

    Reply
  5. …. or a website vulnerable to cross-site scripting ….

    What is “cross-site scripting”? I see it all the time at the top of eBay pages.

    Should I be concerned?

    Thanks Leo, another great article.

    Reply
    • In simple terms, it’s a vulnerability in a website that allows somebody to insert malicious code that’s potentially harmful to the PCs of other people who view that website. An example would be: somebody includes malicious code in a comment to one of the posts here at AskLeo and that code then causes something bad to happen to the PCs of people who view the post. To be clear, I’m just using AskLeo as an example and I’m not suggesting that the website has any vulnerabilities that would allow an attacker to do this!

      Reply
  6. Now for some good news. When I went to the LastPass login in Chrome, there was an update to LastPass 4.0 with a completely new look for the login and the vault. Using that it would make it difficult to be fooled by the phishing page (or at least until the hackers duplicate that look). Here is the latest from LastPass on the subject:
    https://lastpass.com/support.php?cmd=showfaq&id=10072

    They’ve strengthened their 2 factor authentication to no longer bypass the second factor on known devices, so 2 factor authentication can be a safeguard against this phishing exploit.

    Reply
  7. Howdy Leo!

    I had received a message from Lastpass telling me about an update that was from “mailed-by: mandrillapp.com” in the e-mail header (received several weeks ago – I was traveling, didn’t read until tonight) and then when I attempted to login by way of the icon on Firefox, I was told my password was incorrect. Now I attempted to get the prompt for my password and I find this in the e-mail address: “mailed-by: lastpass.com”. Any hints on this?

    Thanks!

    Michael

    Reply
    • I’m not sure I follow exactly what’s happened here. Looks like mandrillapp is a legit mailing service used by some applications, but whether lastpass uses it I can’t say.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.