LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.

Re:Expected

[Sneftel]

The exploit doesn't seem to have anything to do with "the cloud". Once you're logged in to LastPass and your vault is downloaded, password decryption and form filling happen locally.

Multifactor authentication is a datamining scheme

The entire "2FA" concept is simply an info grab masquerading as security theater. In what way is it supposed to improve my security by A: Giving a piece of information that is NOT strictly need-to-know to to some random weirdo on the Internet, and B: Tying the security of that thing to said third-party service?

This is not security. This is simply an attempt to grab information masquerading as security theater. Real security has always worked based on the premise that a piece of information exists that is known only to two parties. We call this a "password". If one is not good enough, you can add a SECOND password. This avoids the involvement of any third parties which can add more holes to the chain. It's quite common, for instance, for sites to include a security hole: That this password process can be bypassed through a "reset" procedure that essentially invalidates the entire security system and pushes the ultimate security off to some third-party site. Are THEY secure? Who knows...but probably not, since now you have all that information funnelled into that one email. It's a common practice upon compromising an email account to attempt to initiate a password recovery for that email account on any interesting sites to see if you get any recovery mails to them.

At that point your email-based "2FA" is totally worthless and more of a liability than if it was simply a non-automatically-recoverable password that wasn't stored anywhere, with no record of any association with an email address. Throwing in "phones" is even more obnoxious, because A: Not everyone has or desires to have a phone, as phones are a security breach that allows third-parties to remotely track and monitor your physical location at all times, and B: Phones are easily lost or stolen.

I think it's reasonable to say that I'm regarded as one of the more paranoid people around, and I say this entire business is simply a scam. They just want to steal your phone or another email so they can spam you.

Re: FUCK MILLENNIAL SNOWFLAKES

[LichtSpektren]

Actually, closed source software is better. If there's a vulnerability in open source software, anyone can look a the source code, find the security holes, and then exploit them. Closed source software is definitely far more secure.

... in other words, security by obscurity. That's not a discredited practice or anything.

Re:Expected

[Sneftel]

The problem again is LastPass. Nobody knows if their security practices are any good, and the attack surface is huge.

Well, their online security practices are relatively unknown, but they're also kind of beside the point. Yes, LastPass won't hand out someone's vault without some sort of authentication, but that's just fences around brick walls. The real means of security is in the client, which is the only part capable of decrypting the vault (decryption keys never being uploaded). The client source code is available and has been audited, so you can feel pretty good about that, short of the Ken Thompson hack or the possibility of the local computer itself being hacked (which, of course, would affect any password manager).

Re:Why not a password hasher?

[AmiMoJo]

Because password hashers are no more secure than password managers that auto-generate long random passwords. If an attacker steals your master password they still get everything. Due to the requirement to meet password length and other requirements, and to allow for changing compromised passwords you still need a file containing those details. There is no benefit over simply encrypting that file with the master password.

You are right about online password managers though, they are an absolutely terrible idea as multiple Lastpass breaches go to show. Use an offline password manager, optionally storing the encrypted file in the cloud if you need it to be portable, but with all the decryption happening outside your browser.