Phishing is not always a problem between keyboard and chair. This is certainly the view taken by the researcher Sean Cassidy, who presented this weekend at the conference Shmoocon an attack of this category particularly convincing and able to fool the most seasoned users Lastpass password manager .
The attack, dubbed “Lostpass” exploits several vulnerabilities present on the Management Service passwords: it is first of all for the attacker to attract users to a site malicious, then display a notification to the user that it has been disconnected from Lastpass. Once it appears, the user is then redirected to a login page almost identical to that displayed by Lastpass when disconnected. The attacker can exploit a bug found in Chromium particular in order to have a domain name almost similar to that used for chrome extensions of the same type as those used by Lastpass.
The attacker can then use the open API Lastpass to check if the user entered credentials are valid and whether it has activated an identification system two-factor: If this is the case, the attacker may also have a prompt copied to that proposed by the password management service and enables him to recover at the same time the token generated by the double authentication. After retrieving the password, the attacker can access the rest of the passwords stored by the user, or change the security settings of the account in order to facilitate possible future attacks.
Lastpass teams have been informed of this attack scenario during the summer of 2015 and have since implemented several measures to protect users. The company has set up a verification system by email when the user connects from an unknown device, allowing according Lastpass significantly reduce such attacks.
The company also states review the operation of its extension: it is based in fact on Viewport notifications to inform users, an easy technique to imitate for a striker who would deceive a user. A correct behavior Lastpass intends to reduce a little the risk of confusion between genuine notifications and notifications from malicious site visited.
Sean Cassidy, the problem highlighted by this scenario is equally critical vulnerability that classic, but it regrets that phishing attacks are too often relegated to the simple rank of related problems ‘user. In its demonstration effect, the difference between legitimate and malicious pages pages used by an attacker is minimal. Only a tiny difference of three characters in a URL and some typographical differences separate right from wrong here, making the attack much more worrying.
No comments:
Post a Comment