Security researcher Sean Cassidy discovered a phishing attack (LostPass) at ShmooCon 2016, which enables spoofing notifications displayed by LastPass version 4.0 in the web browser wherein users get tricked to divulge their login credentials as well as OTP. He also added that an email notification is sent by LastPass if any attacker tries logging in from a new IP address.
Cassidy states that this attack works in Chrome and spotting the difference between a fake LastPass message, and the actual one isn’t easy for users since it has the same login screen and same notification.
All attacker has to do is reroute the user to a legit website that is vulnerable to XSS attacks, followed by XSS flaw for detecting the installation of LastPass. Then, log the user out with a CSRF issue and ask to log in once again.
When the user clicks on this notification, the exact login page appears, and once the credentials are entered, users are logged on to the server of the attacker. User credentials against the LastPass API will then be checked, accuracy will be verified, and the user will be asked for 2-factor authentication code.
Once the attacker gets access to the username and password, all the information of the victim can be downloaded from the API. Cassidy advised the users to keep a check on the account history of LastPass for checking unknown IP addresses.
Apart from that users should disable mobile login, ignore notifications in the browser window and enable IP restriction.