Security Expert Warns LastPass Could Be Vulnerable To Phishing


If you use any kind of password manager, you likely trust that app quite intimately. Using it, you likely feel a bit safer from phishing attacks than users who enter their passwords on a per-site basis. If you stumble across a fake Facebook login page, LastPass, for example, won't do its thing. The popular password manager app, however, is not invincible. No password manager is. As demonstrated by security expert Sean Cassidy at the recent ShmooCon security meetup, users of password managers should be mindful as well. Perhaps the caveat would apply even more to password manager users; If somebody loses one password to a phishing attack, their trouble is with that particular service. If somebody is duped into entering their details for a fake LastPass pop up window, as shown in the main image, every password they have falls into the wrong hands. Essentially, their digital life is now somebody else's to control until they can take serious steps to wrestle control back.

Using what he called LostPass, Cassidy presented a fake LastPass popup window that looked remarkably similar to the real thing. Because LastPass uses a master password that a user must enter each time they access a site that requires LastPass to enter their password for them, getting that one password could expose a user's entire digital fingerprint, so to speak. Using a similar setup, a phishing attack could dupe a user into entering their details and feed them to an outside source. Next thing they know, their bank account could be dry and their Facebook account could be posting scams from all over the web.


LastPass representatives were quick to point out, of course, that this is not a vulnerability with LastPass in particular. Phishing attacks in similar and various forms have been around for a very long time. Cassidy was emphasizing, instead, how easy it would be for a user's entire password book to fall into the wrong hands. It is always best practice to exercise caution on the web, but password manager users in particular should be careful. If you use a password manager, memorize the login screen very carefully and keep a picture for reference if needed. If any details are off, including the URL if applicable, you should report the page in question to the password manager app's developers at once.

Share this page

Copyright ©2016 Android Headlines. All Rights Reserved.

This post may contain affiliate links. See our privacy policy for more information.
Senior Staff Writer

Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, Voice assistants, AI technology development news in the Android world. Contact him at [email protected]

View Comments