LastPass Password Manager Details Vulnerable to HackAdded: Saturday, January 30th, 2016
Category: About Torrents > Staying Safe And Secure
Tags:ET, p2p, Torrent, Piracy, Peer To Peer, Network, Hackers, Internet, BitTorrent, Google, utorrent, bitcomet, extratorrent, www.extratorrent.cc, 2016
LastPass is one of the popular password managers, which stores user’s passwords in the cloud in an encrypted vault. This user’s database is protected by a single username/password pare and various forms of two-factor authentication. However, some security researcher has recently issued a tool able to steal the login details and two-factor authentication key for the manager, thus leaving users potentially exposed. The instrument in question enables hackers to mimic the look and feel of the LastPass browser plugin and website, imitating the way the password manager requests a user’s password and two-factor authentication key.
The security researcher presented the attack at the hacker convention ShmooCon in Washington, calling it LostPass. The attack works because ordinary users can’t tell the difference between a fake and a real message. The fake message shows up if a user visits a malicious website. Once the malware detects that the browser is using LastPass, it mimics a LastPass notification, remotely logs-out the user and requests their password and two-factor authentication key. As a result, the hacker would be able to gain access to every password stored in the system, change settings, block a user’s access or hide it leaving the user none-the-wiser.
LastPass was notified about the vulnerability back in November and responded by implementing a system to alert users when they type their master password on a fake site. The problem is that hackers can easily block that notification as well.
While the attack is not a flaw within LastPass itself, it still highlights a major problem that even the most careful users can encounter. As for the service, it said that the email verification process significantly reduces the threat of such phishing attack because in this case the hackers would need to gain access to the user’s email account as well. In this case, if a user sees a verification request they never initiated, they can safely ignore it.
LastPass also added that it has implemented a fix preventing the malware from logging a user out of their account. Although none of these changes can prevent the hackers from stealing login details, they could still prevent from using those details to access the user’s password manager.
Saturday, January 30th, 2016
|posted by (2016-01-30 21:36:36)|
|Thank for this information|
|yeah thanks for that, I guess you should only log onto lastpass with a blank screen|
|Thank You SaM.|
|Thanks i guess... But why would anyone need/want to store passwords on a cloud program/app? I keep all mine on a .txt file... I guess laziness would be the largest factor to bother using such a service?|
|@4 I hope you have that .txt file encrypted and locked away in a safe next to your computer as that is the only way it will not be copied by some enterprising haxor as recently I had a call out on a business system I put together for someone and whilst cleaning up their mess I was watching a downloaded film on another guys computer in the same area with full access to all his files should I so choose a simple .txt file would not have been a problem for me to copy and if he was silly enough to put the keys to his kingdom in it he may now be trying to cancel all his credit cards.Luckily watching his p2p files was all I had an interest in. (:^D)|
|An interesting exploit SaM obviously thought out by a clever mind to clone a program,reboot it and redirect the users data cutting off the Apps server in the process is a lot of work, but not without rewards one would guess since if important enough to lock away securely effort over gains applies,hopefully no ones Swiss accounts are being ransacked right now. (:^D)|
|It's kept on a 4gb usb data stick which if i don't recall what a password is for a site i'll pull it out.. Also this my personal computer i'm speaking of.. i'm the only one that uses it unless one of my cats have been using it while I sleep|
|@7 no matter how safe you think it is there will always be some enterprising haxor somewhere who will come up with a workaround to any given scenario whether on a usb drive or your HDD which is why there is cloud storage or programs like maskme/Blur.http://www.pcworld.com/article/185872/usb_drives_hacked.html the only really safe way to keep your finances safe is 1-2-1 over the counter at a bank. (:^D)|
|the kingston hack is unlikely granted as it requires a physical access but keyloggers ,trojans and other nasties can see whatever you do going back as far as 2000 and Microsofts reverse browsing so if you have to do it online then do not entrust to any drive usb or HDD as a drive .IMG on a 4gb drive would take very little time on a modern pc and a keylogger would take every keystroke and have your email and password,credit card details etc and send them directly to someone who would then go online and fleece your accounts for goods or anything else that cannot be traced back to anyone except you.||
Most Popular Stories