LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com)

← Back to Stories (view on slashdot.org)

LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com)

Posted by samzenpus on Sunday January 17, 2016 @01:02PM from the protect-ya-neck dept.

An anonymous reader writes: Security researcher Sean Cassidy has developed a fairly trivial attack on the LastPass password management service that allows attackers an easy method for collecting the victim's master password. He developed a tool called LostPass that automates phishing attacks against LastPass, and even allows attackers to collect password vaults from the LastPass API.

146 comments

Min score:

Reason:

Sort:

after reading the details, this is significant by raymorris · 2016-01-17 13:17 · Score: 5, Informative

I read through the details and this is pretty significant. It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser, but it was demonstrated that even that isn't sufficient. This looks like a significant problem for Lastpass and any others with a similar UI.
For anyone who doesn't care to read the details, here's the crux of the problem:
Lastpass prompts for the master password -within- the browser window. Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog, so users can't tell the difference. Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.
1. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-17 13:27 · Score: 0
  
  If only browsers had a display area that showed the URL
2. Re:after reading the details, this is significant by Frosty+Piss · 2016-01-17 13:27 · Score: 1
  
  Isn't this a pretty standard "hack"? If LastPass missed this issue, what else is sketchy?
  
  --
  If you want news from today, you have to come back tomorrow.
3. Re:after reading the details, this is significant by reve_etrange · 2016-01-17 13:31 · Score: 1
  
  It would help some if Lastpass switched to only using a native OS window rather than prompting for authentication within the browser
  That's already the case in Firefox. The exploit only effects chrome, and even then you can always check to make sure the URL says "chrome-extension" and not something similar.
  
  --
  .: Semper Absurda :.
4. Re:after reading the details, this is significant by reve_etrange · 2016-01-17 13:34 · Score: 5, Informative
  
  It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).
  
  --
  .: Semper Absurda :.
5. Re:after reading the details, this is significant by Frosty+Piss · 2016-01-17 14:02 · Score: 1
  
  It's really a Chrome issue, on Firefox LasPass uses an OS dialog...
  Sure, understood, but that makes is a design issue with LastPass, especially seeing as how Chrome has by far more users than Firefox.
  
  --
  If you want news from today, you have to come back tomorrow.
6. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-17 14:11 · Score: 0, Troll
  
  Sure, understood, but that makes is a design issue with LastPass, especially seeing as how Chrome has by far more users than Firefox.
  Anyone stupid enough to use Chrome deserves to be a victim.
7. Re:after reading the details, this is significant by ArmoredDragon · 2016-01-17 14:14 · Score: 4, Interesting
  
  Lastpass is an addon/extension overlay, meaning there is no URL.
8. Re:after reading the details, this is significant by Aighearach · 2016-01-17 14:23 · Score: 2
  Any web page can easily pop up a pixel-perfect copy of the Lastpass login dialog
  If popups are still a thing, that is much more shocking than the supposed "vulnerability."
  I know there are serious professionals actually claiming that password managers make you more secure, but it seems obvious that having a single point of failure based on trust introduces a major vulnerability.
  IMO the vulnerabilities involved are:
  
  Running browsers that allow pop-ups.
  Creating a single point of failure based on un-audited trust.
  Using a networked password manager that not only can communicate over the network but actually has an API for it. The API stuff is useful for enterprise login management, but that is a different use case than these password managers, and it should be in a different product. All that stuff should be done with traditional solutions, because they already work and are easy to run on a private network and integrate into network security.
  Willingness of users to run fairly new software intended to protect security. If it is less than 15 years old, it hasn't even finished beta testing yet. That is the attitude that security requires. If you don't believe me, just check the security news the past 2 years. ;)
  Separately from the general problem of networking, the specific feature of browser synchronization is exceptionally dangerous. There is no way ever to know how secure you are. Even code audits wouldn't help, because browser software is updated too frequently to know if new vulnerabilities have been created within the browser extension capabilities.
9. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-17 14:24 · Score: 0
  
  Disagree and this comment makes me sad. What you're arguing is because of Chrome's (large) user base, it's not liable to be a good citizen and follow standards/procedures-- instead producers should adapt their product specifically for their platform when it's sub-optimal and unlike every other.
  What you're saying is that you really love Internet Explorer so much that in its death, you want Chrome to become IE. This is what got us into trouble the first time, and here we are destined to repeat our mistakes.
  I switched away from Chrome because of exactly this sort of shit, and haven't looked back. Firefox is actually better on memory, if a bit slower to render the page.
10. Re:after reading the details, this is significant by Frosty+Piss · 2016-01-17 14:28 · Score: 2
  
  Disagree and this comment makes me sad. What you're arguing is because of Chrome's (large) user base, it's not liable to be a good citizen and follow standards/procedures...
  NOT AT ALL!
  I'm saying that if you put a SECURITY product out and don't test it on all the available browsers, your product is crap. It's not secure on one of the most popular browsers, why would they design it that way?
  
  --
  If you want news from today, you have to come back tomorrow.
11. Re:after reading the details, this is significant by Ragnarok89 · 2016-01-17 14:38 · Score: 1
  
  It is significant, but I think I have to point out the context here. This is not a Lastpass specific issue. ANY service that prompts for a password within the browser is subject to this attack. It just so happens that the Lastpass service is pretty damn important.
12. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-17 14:41 · Score: 0
  
  This. The only thing that concerns me is the fact that they can log any user out. Lastpass needs to fix that.
13. Re:after reading the details, this is significant by Barlo_Mung_42 · 2016-01-17 14:41 · Score: 1
  
  Would setting up two factor authentication thwart that?
14. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-17 14:48 · Score: 0
  
  I share the sentiment, but can't agree literally. I don't think it's stupidity in anyone's case. For those who are unaware that Chrome and Google are "attackers" basically, it's ignorance. But most Slashdotters know this, so it's apathy.
15. Re:after reading the details, this is significant by mysidia · 2016-01-17 15:15 · Score: 1
  
  Once the attacker has the master password, they can download all passwords that the user has stored in Lastpass.
  Unless the user has 2FA enabled.....
16. Re:after reading the details, this is significant by meadow · 2016-01-17 15:18 · Score: 0
  
  I agree. It is a Chrome issue and in fact Chrome's crappy support for Lastpass, along with blocking duckduckgo.com from being a search engine, is why I never use Chrome.
17. Re:after reading the details, this is significant by Fnord666 · 2016-01-17 15:29 · Score: 1
  
  Unless the user has 2FA enabled.....
  From TFA:
  
  Attacker can intercept 2FA codes
  Additionally, the attacker can even check these credentials against the LastPass API, verify their accuracy, and even ask the user for the two-factor authentication code if this feature is turned on.
  If everything is correct, and all the codes verify through, using the same LastPass API, an attacker can collect any data from the user's account he wants, including the password vault.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
18. Re:after reading the details, this is significant by invictusvoyd · 2016-01-17 16:23 · Score: 1
  
  Well , we all know that too much management is generally counterproductive.
19. Re: after reading the details, this is significant by johnsnails · 2016-01-17 19:03 · Score: 1
  
  Similar issue exists somewhat with any app, how do I know an app used HTTPS to send username/passwords etc? I realise I could know using fidler or similar, but I mean how do you do those basic checks in an app?
20. Re:after reading the details, this is significant by shawn2772 · 2016-01-17 19:39 · Score: 1
  
  along with blocking duckduckgo.com from being a search engine
  What are you talking about? Chrome doesn't "block" duckduckgo.com from being a search engine. In fact, it's even in the pre-configured list of search engines in the Chrome settings, and you can make it your default search engine with a grand total of four mouse clicks: click on the hamburger menu, then Settings, then "Manage search engines", then mouse over duckduckgo in the "Other search engines" list and click the "default" button that appears.
21. Re:after reading the details, this is significant by Zero__Kelvin · 2016-01-17 20:19 · Score: 1
  
  "Even if the user has 2FA enabled.....
  FTFY
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
22. Re:after reading the details, this is significant by AmiMoJo · 2016-01-17 20:43 · Score: 1
  
  Why would you use LastPass anyway? It seems like a really dumb idea to rely on a cloud service for passwords.
  I use KeePass. It can optionally sync its database with a file on Google Drive, which I suppose is the cloud, but crucially it runs everything locally and outside the browser process. Much less vulnerable to this kind of attack.
  I never understood the attraction of LastPass. It just seems to charge you money to create a bigger attack surface, and put your credentials at risk.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
23. Re:after reading the details, this is significant by drolli · 2016-01-17 20:46 · Score: 2
  
  Generation iphone: first complain, then right-click. Then complain that the option was intentionally hidden.
24. Re: after reading the details, this is significant by Anonymous Coward · 2016-01-17 21:38 · Score: 0
  
  You don't have to sync KeePass to a cloud drive. I have a copy of my password db on a share at home, on my employee folder at work, and I sync them both to my thumbdrive. Never goes over the internet.
25. Re:after reading the details, this is significant by meadow · 2016-01-17 22:32 · Score: 1
  
  In the mobile browser it is impossible to set ddg as default search.
26. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-17 23:33 · Score: 0
  
  Hi! I'm the maker of a small and very old password manager that is not discussed here. Nothing against KeePass, it's a decent application. But it seems that even good password managers have unnecessary features that merely increase the attack surface. Syncing only makes sense if multiple users are allowed who may access the database concurrently. If multiple simultaneous user access is not needed, a properly programmed password manager can store any document anywhere, including "cloud drives", just by using what's called "the file system". Like any other multi-document application.
27. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-18 00:49 · Score: 0
  
  In the mobile browser it is impossible to set ddg as default search.
  Hey, we are busy bashing "generation iphone" here, and how ignorant they are of (non-existent) settings.
28. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-18 00:49 · Score: 0
  
  The risk of single internet location services. We are working on solution for hybrid password management, please check www.vaulteq.com
29. Re:after reading the details, this is significant by The-Ixian · 2016-01-18 02:23 · Score: 1
  
  Google apparently hates making Chrome extensible. Every Chrome add-on seems crippled compared to its FF "equivalent". Maybe this is due to security... but I highly doubt it. I think that Google are just control freaks about their browser.
  
  --
  My eyes reflect the stars and a smile lights up my face.
30. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-18 03:11 · Score: 0
  
  With browsers being the primary point of attack for malware and compromises (the second being Trojans/dancing bunny attacks), it isn't surprising that this is taking place.
  Passwords should either be stored by the Web browser in a separate process than the browser and add-ons, done by a separate program outside of the Web browser, or if it has to be an add-on, one that is moved outside the browser's context, so it can't have its dialogs faked. The problem is that there isn't any real way to tell between a true dialog asking for a password versus a fake one that was signed by another valid CA cert [1].
  So, you have to take the password request and password mechanism out of the browser completely. Which makes LastPass a festering pile of shit when it comes to security because it cannot protect itself from another process in the browser context or say that its prompt for a password is better than another site. Well, unless they come up with their own binary add-on or ActiveX control... and that is a completely new can of worms.
  Want password security? Go with KeePass or some utility that doesn't depend on a remote site to stash your stuff. If you have to travel, use a password manager that works on your phone and is decently secure.
  [1]: Ever look at what browser defaults are? iOS, you have to accept that the Chinese government can sign any cert, or don't use the device. Android, it is a PITA to disable certs that you don't use, but doable. For example, why should I trust Saudi Arabia's government to sign a US .com cert?
31. Re:after reading the details, this is significant by N1AK · 2016-01-18 03:51 · Score: 1
  
  Thanks for the summary. Though I'm not sure why it's seen to be such a big issue. Firstly LastPass supports multiple two-factor authentication methods, so even if someone using this fell for it you still couldn't access their vault. Secondly, there's a LastPass icon on the topbar of the browser. It is red if you are logged in, and greyed out if you are not, and you have to click it to bring up the password prompt. If I saw the login prompt with a red icon I know something is wrong, if I see the prompt without clicking on the icon then something is wrong.
  
  Perhaps they attack does more than simply mimic the look of the prompt, but based on your summary it's an attack that relies on user mistakes and poor security practice.
32. Re:after reading the details, this is significant by N1AK · 2016-01-18 04:00 · Score: 1
  
  To respond to myself, reading a bit more into this the problem is bigger than the previous summary says. The exploit is able to make LastPass logout, making the prompt and even request for the 2nd factor code less suspicious. In short, although it requires users to miss a couple of reasonably subtle signs this is a real security shortcoming that they need to address.
33. Re: after reading the details, this is significant by Anonymous Coward · 2016-01-18 04:40 · Score: 0
  
  You're completely right, IE 8 was the last good web browser.
34. Re:after reading the details, this is significant by Anonymous+Cow+Ward · 2016-01-18 04:56 · Score: 1
  
  So, theoretically, all you'd have to do is sign in with a blank tab in focus? Those shouldn't have any sort of copy of the login dialog.
  
  --
  Examine even your most deeply held beliefs. Nobody is always right.
35. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-18 06:30 · Score: 0
  
  A lot of the things extensions can do in other browsers like Firefox cannot be done in Chrome, because Google doesn't want effective ad blocking to occur in its browser. People are welcome to use and prefer Chrome over the alternatives but they should always keep in mind that Chrome is made by an advertising company who is intent on showing you ads and harvesting your data, and does not have the user's best interests in mind.
36. Re:after reading the details, this is significant by mlts · 2016-01-18 07:48 · Score: 1
  
  The sad thing is that a password manager isn't a tough thing. However, it requires some thought to do it right.
  For example, stashing a syncable database on a cloud provider. Most PW managers either use the same password one uses for the local storage.
  However, the database on the cloud provider is where security needs to be tight, and, if possible, not brute-forcable. Ideally, the database would be protected by a randomly generated key, which is then encrypted by each device's private key. If the user wants to add a new device, the new device's key is slapped on a keyserver, one of the other devices shows the user that device's fingerprint and asks the user to compare and approve that the key is the same, then would allow the new device to have its decrypting key entry. If all devices are lost, a recovery mechanism can be as simple as having a password on the chain that unlocks the key, or a shared secret. All solved problems -- this functionality is all native to the OpenPGP format (where one encrypted file can be decoded by any key on the list, or a passphrase.)
  For Android and iOS, both have secure modes to store sensitive data. These should be used in combination with the app's encryption, so there is both the device's hardware protection, and the app's protection.
  For desktop usage, the app's encryption is likely enough, since desktops are less likely to be stolen.
  Backups? Again, there is an easy, secure way to do this. Use a similar encryption mechanism to what Titanium Backup (a must have for Android) uses. It has a public key, and encrypts backups with that. When a restore is needed, each backup file has a private key, which is encrypted with the user's passphrase. This results in being able to do backups without having to hold a key or password indefinitely in memory between sessions, but allows the user to restore/decrypt without worrying about having the proper key... just the right passphrase.
  Of course, there is the password generator. Yes, /dev/random or Windows's equivalent is "good enough", but having a password generator which can take user input (keystrokes, using a high speed timer, as well as mouse movements) provides additional randomness, which would be useful if a bug happened, and /dev/random just outputted zeroes or some other glitch happened. The ideal would be a combination of Apple's and Keepass's, where one can use memorable words with a number or two, or generate custom passwords [1].
  I just wish someone would do it "right". KeePass has everything nailed, except good syncing with a cloud provider, and if each instance of the password manager would use a PGP/gpg key, then store the database as an encrypted file, this would provide excellent resistance to brute-force attacks, should the cloud provider get compromised, as there would be no passwords to guess.
  [1]: Sometimes I was asked to send a user a password over one channel, and data over another. I liked sending passwords in a standard format (like 2-3 Windows CD keys for more sensitive stuff, or phone numbers for less sensitive items) so the receiver knew they were not totally lost when typing in a long password. Thus, having templates come in handy. Same with generating a large amount of starting passwords for an AD domain, where I wanted the passwords to fit the criteria, but be of a certain format so the user knows they are typing in the right thing, and there wouldn't be any "0/O", "1/l" mixups.
37. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-18 09:15 · Score: 0
  
  It's really a Chrome issue, on Firefox LasPass uses an OS dialog...
  Sure, understood, but that makes is a design issue with LastPass, especially seeing as how Chrome has by far more users than Firefox.
  LastPass can only design against what the browser extension API's design permits. You bringing up how many users Chrome has vs Firefox obviously shows your ignorance and implies you've never developed extensions for both Firefox and Chrome. If you did, you'd know how extensible Firefox and how very limited Chrome is in comparison- to the point where you can implement features in Firefox that just aren't possible in Chrome, or are only possible if you make compromises in your own design in order to implement an even remotely equivalent Firefox extension feature.
38. Re:after reading the details, this is significant by Anonymous Coward · 2016-01-18 09:30 · Score: 0
  
  Dude, now you're saying that LastPass doesn't test their products on all available browsers? Wild accusations there.
  Why would they design their extension this way? Because Chrome's extension API gives them no other choice, except not support the Chrome browser with an extension at all.
  LastPass raised the issue of how shitty the Chrome extension API is and how it forces developers to have to make poor design choices because there's absolutely no other way else forgo Chrome support altogether. They brought this up years ago, and it's not been resolved:
  https://code.google.com/p/chromium/issues/detail?id=39511#c34
39. Re:after reading the details, this is significant by godel_56 · 2016-01-18 09:42 · Score: 1
  
  It's really a Chrome issue, on Firefox LasPass uses an OS dialog. According to TFA there's an outstanding issue report in chromium to make the legit extension URL more clear (the exploit relies on the user not seeing a slight modification to the extension URL).
  Also in TFA, he was able to pretty effectively fake the OS dialog. Most people would be fooled.
Reusing the same password is actually better by Anonymous Coward · 2016-01-17 13:19 · Score: 1

Systems like Lastpass are designed to keep passwords in an online repository and allow users to have different passwords for each service. In principle, this might actually be a better security model. However, it really isn't because it creates a single point of failure and provides a false sense of security. Keyloggers make it pretty easy to collect passwords from unsuspecting users who might not take security as seriously when Lastpass makes them feel secure. You're also placing your trust in the security of online repositories, which you have no way to audit. I'd actually rather have users reuse passwords across multiple services and be more aware of security than put their trust in a single point of failure that's a prime target for attacks. There's also potentially a lot more damage to clean up when a service like Lastpass gets compromised than if users simply reuse a few passwords across multiple sites. Perhaps people ought to reuse a few passwords instead of putting their trust in a service like Lastpass.
1. Re:Reusing the same password is actually better by grim-one · 2016-01-17 13:46 · Score: 1
  
  Relying on a single re-used password is worse than relying on a single password service. If a re-used password is compromised, all of your services are compromised - the same result as if your password service is compromised. However, the "surface area" for attacking the re-used password is much larger. To compromise the re-used password, you only need to compromise one of the sites on which it is used, so the attacker has more sites to pick and choose from and more potential vulnerabilities.
2. Re:Reusing the same password is actually better by SirSlud · 2016-01-17 14:25 · Score: 1
  
  That is weapons grade dumb. The only thing this kind of attack can get is whatever passwords the duped user is entering. If they use only one, then as an attacker, all you need is that first one. Since auditing is so important to you, presumably you would also insist that you audit all the websites you're giving your password *to*. Think about it: "I don't trust the password manager, but I think it's a great idea to give the same password to a bunch of different websites who's handling of my password I *can't* audit." See how ridiculous your claim is that using a single uber-strong password is better than trusting a commercial entity who's business is predicated and relies on getting it right? All they get is an encrypted blob of your data, and you can sniff your own outbound traffic to confirm it.
  
  --
  "Old man yells at systemd"
3. Re:Reusing the same password is actually better by Aighearach · 2016-01-17 14:29 · Score: 1
  
  Whereas if they reuse 2 passwords instead of just one, they've already defeated your analysis. ;)
  More seriously, the surface area isn't as large as you think, because getting a web password doesn't tell you what other services they use. Getting their password manager password does tell you that. It lets them access sites that the user didn't even use while they were under attack. The surface area of the password manager being exploited is therefore much, much larger, even if the attack surface is smaller from certain specific angles.
  The password manager being exploited gives up more access than even months of keylogging, unless you sign into every site you have a password for on a regular basis.
4. Re:Reusing the same password is actually better by grim-one · 2016-01-17 15:42 · Score: 1
  
  Yes, re-using two different passwords it better. Three is better than that. You can continue that argument until you end up with a password for each site. Then you'll probably want a password management service, unless you have perfect recall.
  
  You seem to be describing the "surface area" of the impact after an exploit has occurred. I was trying to describe the attack surface area the would allow an exploit in the first place. This is limited to a single site for the manager scenario - the main password site. In the reuse scenario, you are impacted if any one site has an exploit against it (Twitter, Facebook, Slashdot, site XYZ, etc...) - thus much larger attack surface area.
  
  The number of your accounts exposed after a successful attack is the same (assuming you reuse the password on all sites that would otherwise be kept in the management site). You're correct that the management site would give your attacker a nice convenient list of sites to target. I'm guessing without that the attacker would have a end-target in mind anyway. Perhaps they'd check all the mail services (GMail, Outlook, etc). Then move on to social media (Facebook, Twitter, etc). They might even check financial sites (Paypal, banks, etc).
5. Re:Reusing the same password is actually better by Zero__Kelvin · 2016-01-17 20:21 · Score: 1
  
  " Then you'll probably want a password management service, unless you have perfect recall. "
  ... or some imagination and a little black book. ;-)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
6. Re:Reusing the same password is actually better by Zero__Kelvin · 2016-01-17 20:24 · Score: 1
  
  You should probably re-read his post, as you got his point bass-ackwards. He is talking about using multiple passwords, not a single Uber one.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
7. Re:Reusing the same password is actually better by Anonymous Coward · 2016-01-17 22:58 · Score: 0
  
  To compromise the re-used password, you only need to compromise one of the sites on which it is used,
  
  No need to compromise a site - just deploy a new site specifically for harvesting shared passwords:
  https://xkcd.com/792/
8. Re:Reusing the same password is actually better by Anonymous Coward · 2016-01-18 03:23 · Score: 0
  
  GGP specifically said "people ought to reuse a few passwords" which is what GP correctly calls "dumb".
  Even if you use "multiple" passwords, and the "bunch of different websites" you are trusting to handle your password is only 1/4 or 1/5th of the total, everything GP said still applies.
9. Re:Reusing the same password is actually better by Aighearach · 2016-01-18 06:50 · Score: 1
  
  No, often you continue the process until you get to 5 or so and now the user is writing the passwords down. On a sticky note on the monitor is bad, but writing it in inside networked application software simply magnifies the idiocy and danger of writing it on a sticky note.
10. Re:Reusing the same password is actually better by Aighearach · 2016-01-18 06:52 · Score: 1
  
  If you have reasonable physical security and are not a high profile target, this is ideal. I use this system.
  People wave their hands and insist a service is somehow safe, but they do it using pure assertion with no actual security analysis showing it to have lower risk. And they'll freely give out the recommendation to the general public, when actually it depends on individual user context and for many (most!) users it will decrease their security. Security by colloquialism.
11. Re:Reusing the same password is actually better by Zero__Kelvin · 2016-01-19 03:48 · Score: 1
  
  Really. How, prey tell, does this apply? : " If they use only one, then as an attacker, all you need is ..." Just admit that you are an idiot who didn't understand that the GP was claiming the OP wrote something completely different than they actually wrote.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Seems like time to consider the alternatives by Cloud+K · 2016-01-17 13:19 · Score: 1

Suggestions for alternative password managers that work on all the same platforms? So Linux would need to be included (meaning 1password is out), and iOS and Android as well.
I know there's keepass for the desktop, though I seem to recall the Linux client being a choice of either using some old file format or the Windows version on WINE, and don't know how it'd conveniently sync with a mobile.
1. Re:Seems like time to consider the alternatives by Anonymous Coward · 2016-01-17 13:38 · Score: 0
  
  I know there's keepass for the desktop, though I seem to recall the Linux client being a choice of either using some old file format or the Windows version on WINE, and don't know how it'd conveniently sync with a mobile.
  keepass is cross platform, using the same file on Linux/Win/Android/MacOS. You can store the encrypted database in a cloud-based service like dropbox and have a highly portable system for password storage on-line & off-line.
2. Re:Seems like time to consider the alternatives by Anonymous Coward · 2016-01-17 13:41 · Score: 1
  
  keepassx on linux.
3. Re:Seems like time to consider the alternatives by rspeed · 2016-01-17 13:45 · Score: 1
  
  It's not optimal by any measure, but the Windows version of 1Password is very well-behaved via Wine.
4. Re:Seems like time to consider the alternatives by Anonymous Coward · 2016-01-17 13:50 · Score: 1
  
  Keepass1 is rock solid and has native support on all platforms (but no cloud storage so you'll have to sync it yourself with dropbox or similar). The Keepass1 format is well documented enough that it is pretty much a de facto standard. Keypass2 is a .Net rewrite that doesn't work well on ANY platform, and it's new format is not widely supported.
  The only decent feature that Keepass2 added was better multi-user support, which is pointless for most users anyway. Go with Keepass1.
5. Re:Seems like time to consider the alternatives by Duckman5 · 2016-01-17 14:18 · Score: 4, Informative
  
  keepass is cross platform, using the same file on Linux/Win/Android/MacOS. You can store the encrypted database in a cloud-based service like dropbox and have a highly portable system for password storage on-line & off-line.
  That's what I do. For added security, I have a key file that I never put online and only stored locally on my laptop/phone. That way, even if someone gets my database AND somehow intercepts my password they're still out in the cold.
  KeeCloud is a good place to start. Then just pick a browser integration plugin and you're off. For android, Keepass2Android is a good choice, too. It has an integrated keyboard that will directly type the username and password into the browser (or app) so you can avoid all those clipboard stealing exploits.
6. Re:Seems like time to consider the alternatives by ve3oat · 2016-01-17 14:48 · Score: 1
  
  How about PasswordSafe? I think it was originally designed by Bruce Schneier of Schneier on Security fame. His credentials are excellent.
7. Re:Seems like time to consider the alternatives by meadow · 2016-01-17 15:21 · Score: 1
  
  Better solution IMHO by far is to ditch Chrome. And, as someone above wrote, its not just Lastpass that can have this issue in it, but potentially any other app as well.
8. Re:Seems like time to consider the alternatives by Anonymous Coward · 2016-01-17 15:34 · Score: 0
  
  KeePass had similar news just a couple of months ago. I think I read about it here, even.
  http://thehackernews.com/2015/...
9. Re:Seems like time to consider the alternatives by hankwang · 2016-01-17 19:17 · Score: 1
  
  "Keypass2 is a .Net rewrite that doesn't work well on ANY platform, and it's new format is not widely supported. The only decent feature that Keepass2 added was better multi-user support, which is pointless for most users anyway. Go with Keepass1."
  As for the leading Android implementations, keepass2android is definitely better than keepassDroid. They use the same database format (kdbx). However, KPD does not black out its thumbnail in the recent-apps list, does not have the same features for auto-locking the database, and does not warn about clipboard snooping attacks. If someone grabs your phone, you're at more risk with KPD than with KP2A.
  
  --
  Avantslash: low-bandwidth mobile slashdot.
10. Re:Seems like time to consider the alternatives by sexconker · 2016-01-17 19:31 · Score: 1
  
  Retarded.
  That requires hacking the host computer. A keylogger would be just as effective. KeePass does NOT protect you from a compromised host. NO password manager does.
11. Re: Seems like time to consider the alternatives by tometzky · 2016-01-17 19:44 · Score: 1
  
  I use Firefox built-in password manager with master password. Works on Windows, Linux, Android. I haven't tested but should also work on IOS and OSX. It's opensource, does not store unencrypted passwords in the cloud, uses OS popup for master password prompt, and prompts only during browser startup, so it'd be very suspicious if opening a page would show the prompt. Also knowing master password is not enough to compromise it remotely - you'd also need Firefox account password which shoud be different and very complicated.
12. Re: Seems like time to consider the alternatives by bill_mcgonigle · 2016-01-17 23:15 · Score: 2
  
  Keep /home on luks, use a screen locker, and configure LastPass to remember the master password. It will tell you that's less secure. Yeah, for less likely attacks - spoofing predictable chrome has been around for more than a decade. x11 apps can already steal your passwords, so minimizing keyboard input of them is important until Wayland.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
13. Re:Seems like time to consider the alternatives by Anonymous Coward · 2016-01-17 23:41 · Score: 0
  
  Android is too insecure to store passwords on it. Point.
14. Re:Seems like time to consider the alternatives by The-Ixian · 2016-01-18 02:34 · Score: 1
  
  I have used RoboForm for almost 10 years and I recommend it to everyone.
  I think it is great. The iOS and Windows Phone OS clients are a little lacking but present, Windows, Mac, Linux and Android support are awesome.
  
  --
  My eyes reflect the stars and a smile lights up my face.
15. Re:Seems like time to consider the alternatives by Luthair · 2016-01-18 04:20 · Score: 1
  
  No less secure than your PC.
16. Re:Seems like time to consider the alternatives by GuB-42 · 2016-01-18 04:54 · Score: 1
  
  Android is too insecure to store passwords on it. Point.
  It depends on the implementation but it is probably more secure than the usual desktop OSes.
  Android is based on linux, with SELinux enabled and apps run with different UIDs. The main weakness of Android comes from the delay between the time a vulnerability is fixed and the time you actually have it installed on your phone, but beside this, the stack is quite secure.
  Correctly set up, the Keepass file is almost unbreakable. Effective attacks could be the keylogger or DLL injection type where you attempt to catch the master password as the user enters it and these are harder to do on Android. Even phishing is probably a bit harder too.
  What you should watch out are clipboard-based systems as it is easy to sniff out passwords. Especially on Samsung phones where there is a clipboard history feature.
Password managers continue to be dumb by Anonymous Coward · 2016-01-17 13:28 · Score: 0

Either you can remember a lot of passwords or you can't. If you can't, just use the same password everywhere. It's as effective as using a "master" password.
1. Re:Password managers continue to be dumb by jopsen · 2016-01-17 13:40 · Score: 2
  
  Either you can remember a lot of passwords or you can't. If you can't, just use the same password everywhere. It's as effective as using a "master" password.
  Putting 2fa on the vault seems like a sane thing to do... Also it's fewer places that can leak your "master" password... Ie. only lastpass has your master password, so it's only if they get compromised that it is leaked.. .And they hopefully hash passwords properly... Can't say I believe every other random site hashes passwords correctly.
  
  Also once the browser session is authenticated you shouldn't need to do lastpass again, right?... So you type your master password fewer times.
  Honestly, I've been planning to move to password manageing system... like lastpass. It doesn't magically fix all attack vectors, but reduces a lot.
2. Re:Password managers continue to be dumb by bhiestand · 2016-01-17 13:59 · Score: 2
  
  Either you can remember a lot of passwords or you can't. If you can't, just use the same password everywhere. It's as effective as using a "master" password.
  Putting 2fa on the vault seems like a sane thing to do... Also it's fewer places that can leak your "master" password... Ie. only lastpass has your master password, so it's only if they get compromised that it is leaked.. .And they hopefully hash passwords properly... Can't say I believe every other random site hashes passwords correctly.
  Also once the browser session is authenticated you shouldn't need to do lastpass again, right?... So you type your master password fewer times.
  Honestly, I've been planning to move to password manageing system... like lastpass. It doesn't magically fix all attack vectors, but reduces a lot.
  ^ This. I have 2FA on my email and on lastpass. Email and LastPass both have separate passwords. I also have 2FA on the banks I care about. I also receive instant text/email about significant transactions.
  Every site has its own, extremely complex unique password. Most of the sites I really care about also require email confirmation of any security-significant changes.
  So to really do anything with my accounts, you need all of my lastpass passwords, my 2FA for email, my email password, and you have to do it in such a way that I won't notice (either receiving the email notifications or losing access to my email) before I can stop you.
  I'll call this "good enough"
  I also click on the lastpass icon to login... not sure how anyone could fake the login modal coming out of the extension like that. I'm guessing this doesn't apply to me because I'd hit cancel and go to my normal method.
  
  --
  SWM seeks new sig for a brief fling
3. Re:Password managers continue to be dumb by Anonymous Coward · 2016-01-17 14:01 · Score: 0
  
  Well, that's just silly. Using the same password everywhere means that I need to fully trust ALL those site. Using a master password approach means that I only fully trust wherever the master password is stored (e.g., lastpass).
  The advantage of using lastpass is protecting me from the site being stupid and storing the password in plain text, allowing an attacker (or even the site owner) to impersonate me to other sites where I've used the same password.
4. Re: Password managers continue to be dumb by Anonymous Coward · 2016-01-17 14:49 · Score: 0
  
  Password managers do more than just "remember" a lot of passwords. You can use them to generate passwords which are just a long string of random noise, which you will never ever need to remember.
  And using a password manager is still safer than using a master password.
  If you use a master password, all it takes is for ANY of the sites or services that you use to get hacked and your password will end up in a database dump somewhere. Either that, or an attacker could use social engineering on one service to obtain your password, and then try it accross multiple services.
  Not of these things are relatively well documented occurrences.
  Now contrast that with a password managef. If you are careful with your password file, it is highly unlikely that anyone can get their hands on it, and even if they do, unless they are the NSA, they probably won't have the computation power to break the password database before you reset all your passwords.
5. Re:Password managers continue to be dumb by Walter+White · 2016-01-17 15:18 · Score: 1
  
  I also click on the lastpass icon to login... not sure how anyone could fake the login modal coming out of the extension like that. I'm guessing this doesn't apply to me because I'd hit cancel and go to my normal method.
  How hard would it be for an attacker to disable LastPass and replace it with a pixel perfect look alike?
  I suppose the way to defeat that would be to always type the wrong password on the first try and if the password manager appears to accept it, stop trying! Unless the fake password manager is able to use the entered password to try to unlock the database in which case I cannot see a way to detect a fake LastPass.
6. Re:Password managers continue to be dumb by bhiestand · 2016-01-17 16:07 · Score: 1
  
  I also click on the lastpass icon to login... not sure how anyone could fake the login modal coming out of the extension like that. I'm guessing this doesn't apply to me because I'd hit cancel and go to my normal method.
  How hard would it be for an attacker to disable LastPass and replace it with a pixel perfect look alike?
  That is a good point. I suppose we are relying on Chrome's security to prevent an attacker from completely replacing the extension itself.
  Obviously, mimicking its icon and dialog window would be easy enough.
  Then again, if they can do that on my machine they can probably already read passwords from memory or keyboard input? So now I'm just relying on my 2FA
  
  --
  SWM seeks new sig for a brief fling
7. Re:Password managers continue to be dumb by Anonymous Coward · 2016-01-17 17:09 · Score: 0
  
  2FA doesn't help here. You can just as easily phish a 2FA code once you've got the user to type in their master password.
  Read the article- 2FA on the account actually makes it worse, since without TFA LastPass sends you an email when there's an unusual IP address connecting. With 2FA, it assumes it's really you and lets it go.
8. Re:Password managers continue to be dumb by Anonymous Coward · 2016-01-17 17:12 · Score: 0
  
  Once your computer is pwned, it's game over for any passwords you type into it and honestly it seems like an unrealistic threat for LastPass, or any password manager, to actually attempt to mitigate.
  You can be phished into typing in a 2FA token as well, at which point the attacker's server immediately passes that token over to LastPass and logs in themselves.
9. Re:Password managers continue to be dumb by Anonymous Coward · 2016-01-17 23:12 · Score: 0
  
  That is a design flaw with 2FA. It only makes sense if it is per-transaction.
  That way they can only steal one password per attempt, and if they cannot bypass the current site's authentication it would even be noticable as they cannot log you in.
  2FA that is for authentication only and allows to retrieve all passwords at once can only protect future data.
  In case of a password manager that basically means it provides basically no advantage at all over a strong password.
10. Re:Password managers continue to be dumb by The-Ixian · 2016-01-18 02:42 · Score: 1
  
  The TFA explains that the problem is actually 2 fold:
  1. All authentication dialogs are done (in Chrome) by injecting content into the HTTP stream
  2. There is a mechanism by which an arbitrary web site can log you out of your LP session
  So, these two problems combine to make a situation where an attacker can easily replicate a pixel-perfect duplicate of a LP authentication window AND this is something that apparently LP users expect from time-to-time.
  
  --
  My eyes reflect the stars and a smile lights up my face.
11. Re:Password managers continue to be dumb by The-Ixian · 2016-01-18 02:51 · Score: 1
  
  This is why any good password manager has a mouse click keyboard option when entering the master password.
  In addition to this, the PW manager I use, RoboForm, uses a different password (not my master password) to sync to the cloud. Although, by default, the RF settings allow either password to be used for syncing, you can disable this option for added security.
  This means that, worst case scenario, I lose control of my master password, the attacker still cannot pull down my encrypted password files from the cloud.
  I have also enabled 2FA on my RF account which means that even if the attacker had both passwords, they still could not pull down my encrypted passwords from the cloud because each new endpoint needs to be authenticated via the second factor.
  All-in-all, I think that RoboForm is probably the most mature PW manager out there.. but it is paid software ($20/year).
  
  --
  My eyes reflect the stars and a smile lights up my face.
12. Re: Password managers continue to be dumb by Anonymous Coward · 2016-01-18 05:45 · Score: 0
  
  Last pass doesn't protect you from that. When you sign up with a site, your password is stored.
  Unless you meant keeps you safe from sniffing attacks. But doesn't lastpass send the data to the servers the same as you would?
Re:Slashdot vulnerable to extremely simple attack by Anonymous Coward · 2016-01-17 13:37 · Score: 3, Funny

Everybody can write stupid comments, and nothing at all can stop them!
ain't it great..? by Anonymous Coward · 2016-01-17 13:42 · Score: 0

the cloud, that is....
sticky notes are more secure than the cloud...
Locally hosted password manager? by n0creativity · 2016-01-17 13:54 · Score: 1

Anyone know if there is a password manager similar to LastPass, but that you host and can run on your internal network only? My predecessor was clearly in love with lastpass and currently, every key to my IT kingdom exists on there, which I'm not entirely too fond of, especially now. It is kinda nice, but for my situation, I have absolutely no reason for it to be publicly accessible. I would love to run something like this on my own linux VM, hidden behind the safety of my firewall and my management VLAN. Does it exist or did I just give someone an idea that they'll turn into an enterprise software package and make millions?
1. Re:Locally hosted password manager? by Anonymous Coward · 2016-01-17 14:38 · Score: 1
  
  Bruce Schneier recommends https://pwsafe.org/ (because he designed it...).
  I like it too.
2. Re: Locally hosted password manager? by Anonymous Coward · 2016-01-17 14:54 · Score: 0
  
  I use keepassx on Linux.
3. Re: Locally hosted password manager? by mspohr · 2016-01-17 16:03 · Score: 1
  
  Keepass works on Windows, Mac, Linux, Android, iOS.
  It's not as "convenient" as LastPass but it's also less vulnerable to this kind of attack.
  
  --
  I don't read your sig. Why are you reading mine?
4. Re:Locally hosted password manager? by Anonymous Coward · 2016-01-17 23:15 · Score: 0
  
  Password-store/qtpass is what I'd recommend.
  I especially like that it uses standard gnupg and can support hardware tokens and multiple users.
5. Re:Locally hosted password manager? by Anonymous Coward · 2016-01-18 02:38 · Score: 0
  
  I see no reason to trust this website you have suggested while namedropping Bruce Schneier.
  Common sense is to visit Bruce's website, and follow the directions from there and NOT use pwsafe.org.
6. Re:Locally hosted password manager? by Anonymous Coward · 2016-01-18 02:42 · Score: 0
  
  On Bruce Shneier's website, under "Crypto" and "software" one can find the following website for "Password Safe":
  https://www.schneier.com/cryptography/passsafe/
7. Re:Locally hosted password manager? by Todd+Knarr · 2016-01-18 04:03 · Score: 1
  
  I use PWSafe combined with an OwnCloud instance for sync. Devices have their own local copy of the database plus access to the OwnCloud copy, so I can handle even complicated cases of multiple conflicting updates from multiple devices (I usually do changes on a PC and the "master" gets uploaded to OwnCloud automatically, but devices can either change the OwnCloud copy and those changes get merged into the "master" or they can change their local copy and upload that to OwnCloud for merging into the master manually). All the advantages of the cloud without the data ever having to leave my servers.
2 factor by Anonymous Coward · 2016-01-17 13:54 · Score: 0

Switching to 2 form factor will elevate any issues here
Use last pass with 2 factor authentication and these issues go away
1. Re:2 factor by arth1 · 2016-01-17 15:22 · Score: 1
  
  Switching to 2 form factor will elevate any issues here
  That word you use. I do not think that it means what you think it means.
  However, it is appropriate.
  
  Use last pass with 2 factor authentication and these issues go away
  No, they won't. From the very first paragraph of TFA:
  The subsequent login page and the two-factor authentication code, if enabled, are also displayed in the same way.
  Lastpass puts the 2FA dialogue in the browser too, which is incredibly stupid, because then that can be intercepted too. The attacker can send both the correct password and the correct 2FA response from you to the lastpass site.
KeePass by dejitaru · 2016-01-17 14:01 · Score: 1

Something about 'online' password managers really irks me. I've tried lastpass before but didn't really trust it and the plugins became more annoying than useful. So, I switched to keepass and just sync that file on my cloud storage. It's much easier to manage imo and I can use it both on my android and my computer for free.
1. Re:KeePass by zippthorne · 2016-01-17 20:23 · Score: 1
  
  I always assumed (based on the name only), that lastpass wasn't a database, but a {printable characters} encoded hash of the domain & master password. I'm somewhat disappointed that that isn't what they're using.
  
  --
  Can you be Even More Awesome?!
2. Re:KeePass by Anonymous Coward · 2016-01-17 23:02 · Score: 0
  
  How would that work?
  You'd still have to send the password to whatever site you log in to.
3. Re:KeePass by zippthorne · 2016-01-21 15:01 · Score: 1
  
  But you wouldn't have to send it to a third party.
  
  --
  Can you be Even More Awesome?!
We did this in 1975 on a Burroughs B5500 Timeshare by Wheels17 · 2016-01-17 14:04 · Score: 2

I laughed when I went to his page and saw the description of the attack. We were timesharing on a B5500 at a major university and found the way to find active but un-logged in terminals and take control. When the login sequence was keyed in, we'd pop up a page identical to the proper login screen and ask for credentials. We'd write to a file, post the proper user ID but a wrong password to the system, and disconnect. The system would reply with the standard wrong password prompt, and the user would figure they just fat fingered the password and was none the wiser. We collected user IDs and passwords of nearly 90% of the people on the system, before we chickened out and deleted the application and the database. I don't think the system folks ever knew it happened.
Chrome by p51d007 · 2016-01-17 14:05 · Score: 1

I switched back to FF about 6 months ago. Chrome for me, started slowing down.
1. Re: Chrome by Anonymous Coward · 2016-01-17 15:25 · Score: 0
  
  Well, there ya go. As long as you switched away, tell the Internet the problem is solved.
Mooltipass? Is that a thing yet? by Anonymous Coward · 2016-01-17 14:16 · Score: 0

Hackaday was forever working on some "mooltipass" hardware/software/iso7816 card password box thing. The website is too convoluted for my short attention span to understand if it is a product now available for purchase or not. Update... I tried my hardest to focus and I guess they are $130. Meh. If you are a rich b*h or a OSX user (same?), I suppose. It seems like a pretty cool option though.
1. Re:Mooltipass? Is that a thing yet? by Anonymous Coward · 2016-01-17 14:19 · Score: 0
  
  Here's the newest presentation video I could find about it: https://www.youtube.com/watch?v=egOZagxOY9w
  maybe it's awesome? I don't know. I do note that in the presentation the computers and screens used are very apple-esque though, so apparently they already know that their target audience is rich b*h OSX users :)
Sean Cassidy was the researcher? by Anonymous Coward · 2016-01-17 14:20 · Score: 0

LastPass Da Do Run Run Run away from this.
1. Re:Sean Cassidy was the researcher? by R3d+M3rcury · 2016-01-17 18:35 · Score: 1
  
  I'm pretty sure they're not the same, but I'll admit I had the same thought.
Re:We did this in 1975 on a Burroughs B5500 Timesh by Anonymous Coward · 2016-01-17 15:02 · Score: 0

This is just "if you can take control, you can get them to enter their password". No shit sherlock.
Lastpass TFA actually makes the hack easier by raymorris · 2016-01-17 15:21 · Score: 2

The way Lastpass implements 2-factor, it actually makes the hack EASIER.
1. Re:Lastpass TFA actually makes the hack easier by jpkunst · 2016-01-17 20:55 · Score: 1
  
  Care to explain?
2. Re:Lastpass TFA actually makes the hack easier by randm.ca · 2016-01-18 05:37 · Score: 1
  
  With 2FA disabled, a "you signed in from a new IP" verification email gets sent, and you go WTF no I didn't and get suspicious (hopefully you do anyway). With 2FA enabled, that email gets disabled, so the user is none the wiser that something funny is going on.
3. Re:Lastpass TFA actually makes the hack easier by jpkunst · 2016-01-19 00:06 · Score: 1
  
  Lastpass has now enabled the verification email for users with 2FA enabled. See https://lastpass.com/support.p...
Always believed... by Anonymous Coward · 2016-01-17 15:22 · Score: 0

I always believed that people who use LastPass are, plain-and-simple, just idiots with no understanding of good security practices, glad to see I've not been disappointed. I would never use such a service, just too many unknowns around who really holds or can access your passwords.
Google Authenticator etc. is the way to solve these kinds of issues with multi-factor auth.
not exactly, see Firefox screenshot by raymorris · 2016-01-17 15:29 · Score: 4, Insightful

The blog entry in which the guy describes the attack has a screenshot of the attack in Firefox. The screenshot also includes a legitimate Lastpass dialog, showing that the fake looks -exactly- like the real Lastpass dialog.
The thing is, the browser can draw something that looks exactly the same as an OS dialog, and it can be dragged around just like the OS dialog. The difference shows up only if you minimize the browser, or already have the browser window small and you then try to drag "the Lastpass" dialog far enough that it's no longer "in front of" the browser window.
1. Re:not exactly, see Firefox screenshot by ZeRu · 2016-01-17 23:46 · Score: 1
  
  You could have LastPass remember your e-mail and autofill it for you when it prompts you for the master password. A phishing site typically won't know your e-mail, unless they asked you for it (as a part of registration process, for example). I suggest using different e-mail than the one you use for your LastPass Account for every site that requires a password. If you're on Gmail adding "+[domainname]" to your Gmail username is enough, since Gmail ignores everything after a plus sign.
  
  --
  If you post as an AC, don't expect me to spend a mod point on you.
2. Re:not exactly, see Firefox screenshot by TheRaven64 · 2016-01-18 02:28 · Score: 2
  
  There is a well-known defence against this kind of attack. You don't put up generic dialog boxes like this. When the user configures the app, they should provide a picture or a pass phrase, which is displayed in the dialog box whenever it appears. If the dialog does not contain that picture / phrase, then the user knows that it's not the one for their system.
  
  --
  I am TheRaven on Soylent News
3. Re: not exactly, see Firefox screenshot by Anonymous Coward · 2016-01-18 05:29 · Score: 0
  
  My bank has been doing this for 10 years. Last pass is behind the times.
Re:We did this in 1975 on a Burroughs B5500 Timesh by l0n3s0m3phr34k · 2016-01-17 15:37 · Score: 2

If you have physical access to the terminal, eventually you can come up with a system to defeat almost all security.
LastPass's Response by hawkeey · 2016-01-17 16:08 · Score: 5, Informative

Here's the response from LastPass:
https://lastpass.com/support.p...
(I think this link should be in the main summary for balance)
As for Google Chrome, LastPass asks that you star Issue 39511 for extension infobars outside the DOM. Specifically here's LastPass asking for improvement in Chrome January 12th, 2012:
https://code.google.com/p/chro...
I am NOT affiliated with LastPass.
1. Re:LastPass's Response by hawkeey · 2016-01-17 16:16 · Score: 1
  
  Also here's a link to Sean Cassidy's Twitter account: https://twitter.com/sean_a_cas...
  https://twitter.com/sean_a_cas...
  "LastPass now requires email confirmation for logins from new IPs, even with 2FA: https://lastpass.com/support.p..."
  Does that mean the 2FA issue is addressed?
I wish. See the Firefox screenshot by raymorris · 2016-01-17 16:26 · Score: 3, Informative

Check out the Firefox screenshot that the researcher included. On Firefox the fake dialog still looks exactly like the legitimate dialog. It looks just like an OS window that has popped up in front of the browser window. You'd only know something was amiss if you tried to drag out to a different part of the desktop so it was no longer "in front of" (actualy within) the browser.
Ha Ha, Ha Ha by Anonymous Coward · 2016-01-17 16:30 · Score: 0

Yes I'm laughing at all you LastPass users. You said LastPass employees care about security, they do everything properly, they won't get hacked, it's safe to store everything with a single 3rd party. And yet a very simple and extremely old phishing attack can completely compromise your account.
Though to be a little fair, its mainly the browsers' fault for pushing everything to be HTML based.
article should say ignorant users vulnerable to ph by Anonymous Coward · 2016-01-17 16:38 · Score: 0

In other words business as usual
on random sites, and reveals other passwords by raymorris · 2016-01-17 16:48 · Score: 2

Slashdot requests a password in the browser, but it's not affected the same way. First, Lastpass throws up a password prompt ON OTHER WEB SITES. You wouldn't enter your banking password on Slashdot.org. However, if Lastpass stores your bank Slashdot password, Lastpass will pop a dialog on Slashdot. You'll then enter your master password into "Lastpass" while you're on Slashdot. With any web-based service, you'd enter your password only on the legitimate site. Lastpass users enter their master password on arbitrary sites.
Secondly , getting the user to enter their ONE Lastpass master password allows the attacker to retrieve ALL of the passwords, for all other sites. So if you use Lastpass, an XSS attack against Slashdot would reveal your banking password.
Re:article should say ignorant users vulnerable to by behrooz0az · 2016-01-17 16:55 · Score: 1

RTFA or even comments. It's not about user ignorance. there is no way for anyone to detect a pixel-perfect copy of a login page that has no URL.

--
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Re:article should say ignorant users vulnerable to by pacman+on+prozac · 2016-01-17 21:03 · Score: 1

I've used it for a while and only ever seen Lastpass ask for login details when the browser is first opened, not in the middle of a browsing session, so the timing of it would give away that it's a fake.
It's still a good attack, easy enough to have a quick brain fart and type creds into such a window.
There is an idle logout setting, if you need that enabled then would be more vulnerable to this as you would have login windows popping up during normal browsing.
there is also this... by Anonymous Coward · 2016-01-17 21:52 · Score: 0

"login to LastPass account fails, but it still gives you access to stored credentials." http://blog.digitalbabylon.eu/...
Meh by Anonymous Coward · 2016-01-18 00:12 · Score: 0

I just store all my passwords in a VeraCrypt volume.
1. Re:Meh by Anonymous Coward · 2016-01-18 01:33 · Score: 0
  
  VeraCrypt is likely backdoored. Use Ciphershed instead.
  Otherwise it's a sane suggestion.
2. Re:Meh by Anonymous Coward · 2016-01-18 02:44 · Score: 0
  
  It's open source...
Re:We did this in 1975 on a Burroughs B5500 Timesh by ray-auch · 2016-01-18 01:24 · Score: 1

Physical access was not actually (definitely) implied.
We did similar in late 80s on unix / X-Windows boxen - the uni had set them up with a nifty graphical login because command line was so-last-year, but no security (standard in those days) on the X display connections. All you needed was a program that showed the same password prompt window and grabbed the username/pw. Even when display security was added it was bodged so any "local" process could connect to :0, and anyone could remote into any workstation any time...
I'm sure later years of students had the same fun with xdm (which was eventually implemented IIRC) and xspy, but by then we'd moved on to popping up (half-tone or ascii art) topless pictures on unsuspecting colleagues' workstations, preferably when lecturer / supervisor was behind them.
It was all good learning, but seems as an industry as a whole, we never learn and the old tricks still work...
LastPass have responded: by EnglishTim · 2016-01-18 01:29 · Score: 1

https://lastpass.com/support.p...
It seems they've turned on email confirmation even for users with 2FA, along with a couple of other in-browser measures.
Re:We did this in 1975 on a Burroughs B5500 Timesh by Wheels17 · 2016-01-18 02:18 · Score: 1

This was entirely software-based. We didn't need physical access to the terminals. There was a pre-processor unit that multiplexed the terminals to a machine that was basically designed to be a batch-processing machine. This is where we were able to intercept the session.
Strongly recommend review by an experienced expert by raymorris · 2016-01-18 03:02 · Score: 1

As may know, most small security applications have not been reviewed by someone truly qualified. Issues like what we see here with Last Pass are commonplace. It is very likely, almost certain, that you missed -something- when you developed your software.
If you haven't already, or maybe even if you have, I strongly suggest spending a couple hundred dollars to have another set of experienced eyes review your code. If your application is relatively simple, it probably wouldn't take more than a couple of hours for someone to review it and point out any points of concern.
According to your site, it is weak by raymorris · 2016-01-18 03:10 · Score: 1

As may know, most small security applications have not been reviewed by someone truly qualified. Issues like what we see here with Last Pass are commonplace. It is very likely, almost certain, that you missed -something- when you developed your software. In fact, according to the little bit of text on your web site, you've made a grave mistake. Whoever wrote the text on the web site doesn't understand some basics of security, so if the same person who wrote the web site copy also designed the code, you have a problem.
If you haven't already, or maybe even if you have, I strongly suggest spending a few hundred dollars to have another set of experienced eyes review your code and design. If your application is relatively simple, it probably wouldn't take more than a few hours for someone to review it and point out any points of concern.
Simple fix. by Tehrasha · 2016-01-18 04:26 · Score: 1

FTA "It is harder to spoof in Firefox, where I had to draw each OS's native widget manually"
If the user uses ANY customized desktop theme on Windows, these pop-ups are going to look totally alien to the user.
Finally, a valid use for the Windows Classic theme.
Re:We did this in 1975 on a Burroughs B5500 Timesh by l0n3s0m3phr34k · 2016-01-18 05:21 · Score: 1

" but seems as an industry as a whole, we never learn and the old tricks still work" too true; I blame the PHB who want stock dividends and profits over long-term security and see IT as a money sink that the newest buzz words will magically fix.
Re:We did this in 1975 on a Burroughs B5500 Timesh by l0n3s0m3phr34k · 2016-01-18 05:26 · Score: 1

Ah. I did something similar in the early 90's when my high school got their first LAN. You could control-break out of the login script and get dropped into a prompt that had read access to the login paths. Re-wrote the script to "error out" and prompt for the teachers login again and wrote it to the local drive...it was only a matter of time before we had multiple credentials. We found the software they had bought also came with an internal BBS / posting board that they never implemented...much fun was had and the faculty never noticed it at all.
Password complexity rules vary by tepples · 2016-01-18 06:52 · Score: 1

The problem with regenerating a hash every time you choose to log in to a particular site is that sites' minimum and maximum length and complexity for user passwords varies so widely. It would have to store the length, set of permitted characters, and set of required characters for each site.
Chrome is at fault by Anonymous Coward · 2016-01-18 08:10 · Score: 0

Don't use chrome for anything except for its development tools which do excel at testing and hacking web pages.