Many people tend to use password managers since they have to login to so many different sites on the internet and it can be a chore to remember different passwords for different services unless you have the unhealthy habit of using one password for all of your online accounts. LastPass happens to be a popular password manager and a security researcher is now warning that those who use it should keep an eye out for phishing attacks.
The phishing attacks can dupe LastPass users with a fake LastPass login prompt that looks almost similar to the real one, so once users enter their password in the malicious prompt, they’re essentially giving access to all passwords stored in their account.
The warning comes from security researcher Sean Cassidy who even presented a proof of concept demonstration at the ShmooCon security convention, his demonstration showed how malicious websites can serve pop-ups in the browser that are very similar to LastPass’s login prompts, they are similar down to individual pixels.
LastPass prompts users to enter their master password whenever they visit a site for which they have saved a password in LastPass. This eliminates the need for users to remember login credentials for every single website they have an account for, but this is also a vulnerability that can be used to steal passwords of LastPass users.
Cassidy has said that LastPass told him that it’s taking concrete steps to ensure that it becomes even harder to perform phishing attacks on its users, while a spokeswoman for the company made the distinction that this isn’t a vulnerability in LastPass but a means to a phishing attack.