Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk)

Posted by msmash on from the security-blues dept.

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.

4 of 134 comments (clear)

  1. Not exactly... by myowntrueself · · Score: 4, Interesting

    The headline says 'Lastpass accounts can be completely compromised'.

    But this isn't a method of getting the Lastpass account password itself, its a way of getting passwords for specific sites that the malicious site is trying to get passwords for.

    That isn't 'completely' compromising the Lastpass account.

    --
    In the free world the media isn't government run; the government is media run.
  2. Why not a password hasher? by ma++i+ude · · Score: 4, Interesting

    Password managers seem like an inherently terrible idea, particularly onlines ones.

    Can someone explain to me why password hashers are not more common? I've used one for years and really can't understand why nobody else does. Take the master password, append (a portion of) the site's domain name, and hash to arrive at a random password. There's only one password to remember, you get a unique strong password for every website, and everything can be done offline without storing anything anywhere. There are extra refinements to create new passwords to replace e.g. compromised ones, or conform to the site's password length and other requirements, but they are trivial. Extensions are available for browsers and mobiles.

    --
    You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
    1. Re:Why not a password hasher? by SScorpio · · Score: 3, Interesting

      Say there is a security breach and you are forced to update your password. With your hasher you now need to update every single site to use the new password.

      With a password vault with unique passwords for every site you change the password for that single site and you're done.

  3. Re:Expected by SScorpio · · Score: 3, Interesting

    If a site has shitty password storage and is compromised that password is leaked and their are bots that try logging into other sites using the same credentials. By having different passwords for different sites you can prevent this.

    There are password vaults that keep everything local if you are worried about security.