{"id":13988930,"url":"https://github.com/cxxr/lostpass","last_synced_at":"2026-02-28T13:12:37.547Z","repository":{"id":69237866,"uuid":"49758265","full_name":"cxxr/lostpass","owner":"cxxr","description":"Pixel-perfect LastPass phishing","archived":false,"fork":false,"pushed_at":"2016-01-19T21:27:25.000Z","size":4031,"stargazers_count":338,"open_issues_count":1,"forks_count":39,"subscribers_count":25,"default_branch":"master","last_synced_at":"2025-06-01T05:40:03.752Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cxxr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-01-16T03:54:46.000Z","updated_at":"2024-07-30T19:46:20.000Z","dependencies_parsed_at":"2023-03-20T20:13:21.766Z","dependency_job_id":null,"html_url":"https://github.com/cxxr/lostpass","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cxxr/lostpass","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cxxr%2Flostpass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cxxr%2Flostpass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cxxr%2Flostpass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cxxr%2Flostpass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cxxr","download_url":"https://codeload.github.com/cxxr/lostpass/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cxxr%2Flostpass/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29935097,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T13:00:17.143Z","status":"ssl_error","status_checked_at":"2026-02-28T12:59:13.669Z","response_time":90,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-09T13:01:26.391Z","updated_at":"2026-02-28T13:12:37.529Z","avatar_url":"https://github.com/cxxr.png","language":"HTML","funding_links":[],"categories":["HTML"],"sub_categories":[],"readme":"# LostPass\n\nA tool to phish LastPass accounts. See [my blog\npost](https://www.seancassidy.me/lostpass.html) for more information.\n\n## Screenshots\n\nThis is LostPass in action.\n\n### Chrome notification\n\nThis notification pops up on a benign-looking website.\n\n![Chrome notification](images/notification.png)\n\n### Chrome login screen\n\nThis is shown after the user clicks our malicious notification.\n\n![Chrome login](images/login1.png)\n\nNotice how it uses the domain `chrome-extension.pw`, which is close to Chrome's\nbuilt-in `chrome-extension` protocol. Since the connection is over HTTP, the\nicon looks similar. This \n[Chromium issue](https://code.google.com/p/chromium/issues/detail?id=453093) \nis open to address this issue.\n\n### Chrome two-factor prompt\n\nThis is shown if the user has two-factor authentication enabled.\n\n![Chrome two-factor](images/2fa.png)\n\n### Firefox login on Windows 8\n\nThis is drawn using HTML5 and CSS. Even the Windows appear/close animation is\ndone. One of them is real, one of them is LostPass. Which one?\n\n![Firefox login](images/firefox_win.png)\n\n## How it works\n\n1. Get the victim to go to a malicious website that looks benign, or a real\n   website that is vulnerable to XSS\n2. If they have LastPass installed, show the login expired notification and log\n   the user out of LastPass (Logout CSRF)\n3. Once the victim clicks on the fake banner, direct them to an\n   attacker-controlled login page that looks identical to the LastPass one\n4. The victim will enter their password and send the credentials to the\n   attacker's server\n5. If the username and password is incorrect, redirect them back to the\n   malicious site and redisplay the banner with \"Invalid Password\"\n6. If the user has two-factor authentication, redirect them to a two-factor\n   authentication page. Once they enter their two-factor token, try it.\n7. Once the attacker has the correct username and password (and two-factor\n   token), download all of the victim's information from the LastPass API\n\nLostPass does steps 2 through 7. Some things to note about why this is so \neffective:\n\n- Many responses to the phishing problem are \"Train the users\", as if it was\n  their fault that they were phished. Training is not effective at combating\n  LostPass because there is little to no difference in what is shown to the \n  user\n- LastPass's login workflow is complex and somewhat buggy. Sometimes it shows\n  in-viewport login pages, and sometimes it shows them as popup windows.\n- It is easy to detect LastPass and it was even easier to find the exact HTML\n  and CSS that LastPass uses to show notifications and login pages\n- It even phishes for the two-factor auth code, so 2FA is no help\n\nSee [the FAQ I wrote](https://www.seancassidy.me/lostpass.html) for more\ninformation.\n\n## Setup\n\nAfter getting nodejs and npm installed:\n\n    npm install -g grunt-cli\n    npm install\n    grunt\n\nTo run server.py, you'll need lastpass-python and bottle.\n\n    virtualenv env\n    source env/bin/activate\n    pip install lastpass-python bottle\n    cd chrome4/\n    python server.py\n\nIt seems that there are some bugs in lastpass-python as not all accounts can be\nlogged in to.\n\n## Status\n\nThis is a proof-of-concept. It is not written particularly well or\nmaintainable. I am not particularly interested in making it weaponized. I may\naccept PRs if they are useful or instructive or fix obvious bugs.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcxxr%2Flostpass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcxxr%2Flostpass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcxxr%2Flostpass/lists"}