LastPass phishing attack could have scooped up passwords

A relatively simple phishing attack could be used to compromise the widely used password manager LastPass, according to new research.

Notifications displayed by LastPass version 4.0 in a browser window can be spoofed, tricking people into divulging their login credentials and even snatching a one-time passcode, according to Sean Cassidy, who gave a presentation at the Shmoocon conference on Saturday.

Cassidy, who is CTO of Praesido Inc., notified LastPass of the issues. In a blog post, LastPass said it has made improvements that should make such an attack harder to pull off without a user knowing.

To read this article in full or to leave a comment, please click here