Hackers can also disable a target’s 2FA by using a Cross-Site request forgery vulnerability if, for instance, a victim is phished on an attacker-controlled website. Do you think it is a good idea to have the same lock for the door and the safe? Should the door key open the safe as well?” “To put it in perspective, imagine that you have a safe in your house where you keep your most valuable belongings. “This literally beats the entire purpose of 2FA, which is a layer of security to prevent attackers already in possession of the password from logging in,” Vigo explained. That means an attacker with the password could then compromise the second factor of authentication. Unfortunately, according to researcher Martin Vigo, LastPass stored that secret under a URL that can be derived from the password. In this case, the QR code holds the “secret” that will allow a user or an attacker to generate valid codes that serve as the second factor. LastPass’s problem lies in how they stored the QR code used for setting up 2FA.
The purpose of 2FA is to secure accounts and systems against attackers who already have your password. LastPass, one of the web’s most popular password managers, had a critical flaw in its implementation of two-factor authentication, according to new research published Thursday.
0 kommentar(er)
