Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk)

Posted by msmash on from the security-blues dept.

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.

4 of 134 comments (clear)

  1. Re:FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 3, Insightful

    Remembering passwords is terrible security practice. It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.

    Using a password manager is ideal. The problem is using LastPass specifically is dumb; it's proprietary and closed source, so nobody has any idea what's going on with those passwords, nor if the company behind it is using optimal security practices. It plugs into your browser, so the attack surface is basically your entire computer.

    Use a FOSS password manager that store your passwords locally (i.e. does not connect to the Internet) and through an encrypted hash, like KeePass. LastPass is a bad idea on a number of levels.

  2. Expected by Anonymous Coward · · Score: 2, Insightful

    Well, that's the cloud for you. Stop connecting stuff that doesn't need to be connected.
    The best firewall- route to null

  3. Same vulnerability every password manager has by Kinwolf · · Score: 3, Insightful

    So lastpass can be tricked to think he is on the real twitter page. Newsflash, so can a human. So the human will also enter his password on that page, no matter the password manager he use.

  4. Re:Not exactly... by execthis · · Score: 3, Insightful

    Thank you for the sanity. So many derisive and uninformed posts, so much schadenfreude being shoveled out, and not enough basic factual information.

    Another thing to consider is that a lot of sites seem to be designed that you can't just autofill to login. Nowadays you have to first click a login link which causes a dropdown form to appear.

    I have to ask myself, of the say 10 most frequent sites that I use Lastpass to login to on a regular basis, could any other sites I've visited be ones attempting to maliciously impersonate those sites and steal my credentials? The likelihood is very small.