Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk)

Posted by msmash on from the security-blues dept.

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.

25 of 134 comments (clear)

  1. Re:FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 3, Insightful

    Remembering passwords is terrible security practice. It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.

    Using a password manager is ideal. The problem is using LastPass specifically is dumb; it's proprietary and closed source, so nobody has any idea what's going on with those passwords, nor if the company behind it is using optimal security practices. It plugs into your browser, so the attack surface is basically your entire computer.

    Use a FOSS password manager that store your passwords locally (i.e. does not connect to the Internet) and through an encrypted hash, like KeePass. LastPass is a bad idea on a number of levels.

  2. Expected by Anonymous Coward · · Score: 2, Insightful

    Well, that's the cloud for you. Stop connecting stuff that doesn't need to be connected.
    The best firewall- route to null

    1. Re:Expected by Sneftel · · Score: 5, Informative

      The exploit doesn't seem to have anything to do with "the cloud". Once you're logged in to LastPass and your vault is downloaded, password decryption and form filling happen locally.

      --
      The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    2. Re:Expected by LichtSpektren · · Score: 2

      Well, that's the cloud for you. Stop connecting stuff that doesn't need to be connected. The best firewall- route to null

      Hey, don't blame the cloud. I'll state on record that I store my passwords in the cloud. I have a KeePassX database that syncs via ownCloud. But decrypting the database requires both my master password, and a key file that I only store locally. So even if the ownCloud server's breached, my data is not in danger. (As an extra precaution, I also encrypt everything before I put it in my cloud folder, but that's just paranoia.)

      The problem again is LastPass. Nobody knows if their security practices are any good, and the attack surface is huge.

    3. Re:Expected by LichtSpektren · · Score: 2

      Not at all. I don't do anything illegal that I am aware of. I just don't want hackers having all my passwords, and infosec is a hobby of mine.

    4. Re:Expected by Sneftel · · Score: 5, Informative

      The problem again is LastPass. Nobody knows if their security practices are any good, and the attack surface is huge.

      Well, their online security practices are relatively unknown, but they're also kind of beside the point. Yes, LastPass won't hand out someone's vault without some sort of authentication, but that's just fences around brick walls. The real means of security is in the client, which is the only part capable of decrypting the vault (decryption keys never being uploaded). The client source code is available and has been audited, so you can feel pretty good about that, short of the Ken Thompson hack or the possibility of the local computer itself being hacked (which, of course, would affect any password manager).

      --
      The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    5. Re:Expected by green1 · · Score: 2

      Then why give all your passwords to a third party in the first place? Seems like this is pretty much the expected outcome.

      You're not supposed to use the same password on multiple sites, because if someone gets access to that password, they get access to all the other sites too. Thing is, by putting all your passwords in a keyvault behind a single password, you've done exactly the same thing!

      If I'm going to make my passwords vulnerable by having one password that will get in to multiple sites, I'll do it the old fashioned way and use that password on those sites. It will be more secure than adding yet another website to be compromised.

    6. Re:Expected by SScorpio · · Score: 3, Interesting

      If a site has shitty password storage and is compromised that password is leaked and their are bots that try logging into other sites using the same credentials. By having different passwords for different sites you can prevent this.

      There are password vaults that keep everything local if you are worried about security.

    7. Re:Expected by green1 · · Score: 2

      But this site DOESN'T keep it local, and that's exactly the point.

    8. Re:Expected by Sneftel · · Score: 2

      One generally uses a long, complex password for their password vault (which is fine, since you only have to remember the one password). This, combined with PBKDF2 backed by SHA-256 iterations, means that it's not realistically possible to brute-force the vault before the sun goes out.

      --
      The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
  3. Multifactor authentication is a datamining scheme by Anonymous Coward · · Score: 2, Informative

    The entire "2FA" concept is simply an info grab masquerading as security theater. In what way is it supposed to improve my security by A: Giving a piece of information that is NOT strictly need-to-know to to some random weirdo on the Internet, and B: Tying the security of that thing to said third-party service?

    This is not security. This is simply an attempt to grab information masquerading as security theater. Real security has always worked based on the premise that a piece of information exists that is known only to two parties. We call this a "password". If one is not good enough, you can add a SECOND password. This avoids the involvement of any third parties which can add more holes to the chain. It's quite common, for instance, for sites to include a security hole: That this password process can be bypassed through a "reset" procedure that essentially invalidates the entire security system and pushes the ultimate security off to some third-party site. Are THEY secure? Who knows...but probably not, since now you have all that information funnelled into that one email. It's a common practice upon compromising an email account to attempt to initiate a password recovery for that email account on any interesting sites to see if you get any recovery mails to them.

    At that point your email-based "2FA" is totally worthless and more of a liability than if it was simply a non-automatically-recoverable password that wasn't stored anywhere, with no record of any association with an email address. Throwing in "phones" is even more obnoxious, because A: Not everyone has or desires to have a phone, as phones are a security breach that allows third-parties to remotely track and monitor your physical location at all times, and B: Phones are easily lost or stolen.

    I think it's reasonable to say that I'm regarded as one of the more paranoid people around, and I say this entire business is simply a scam. They just want to steal your phone or another email so they can spam you.

  4. Re: FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 4, Informative

    Actually, closed source software is better. If there's a vulnerability in open source software, anyone can look a the source code, find the security holes, and then exploit them. Closed source software is definitely far more secure.

    ... in other words, security by obscurity. That's not a discredited practice or anything.

  5. Not exactly... by myowntrueself · · Score: 4, Interesting

    The headline says 'Lastpass accounts can be completely compromised'.

    But this isn't a method of getting the Lastpass account password itself, its a way of getting passwords for specific sites that the malicious site is trying to get passwords for.

    That isn't 'completely' compromising the Lastpass account.

    --
    In the free world the media isn't government run; the government is media run.
    1. Re:Not exactly... by execthis · · Score: 3, Insightful

      Thank you for the sanity. So many derisive and uninformed posts, so much schadenfreude being shoveled out, and not enough basic factual information.

      Another thing to consider is that a lot of sites seem to be designed that you can't just autofill to login. Nowadays you have to first click a login link which causes a dropdown form to appear.

      I have to ask myself, of the say 10 most frequent sites that I use Lastpass to login to on a regular basis, could any other sites I've visited be ones attempting to maliciously impersonate those sites and steal my credentials? The likelihood is very small.

  6. Why not a password hasher? by ma++i+ude · · Score: 4, Interesting

    Password managers seem like an inherently terrible idea, particularly onlines ones.

    Can someone explain to me why password hashers are not more common? I've used one for years and really can't understand why nobody else does. Take the master password, append (a portion of) the site's domain name, and hash to arrive at a random password. There's only one password to remember, you get a unique strong password for every website, and everything can be done offline without storing anything anywhere. There are extra refinements to create new passwords to replace e.g. compromised ones, or conform to the site's password length and other requirements, but they are trivial. Extensions are available for browsers and mobiles.

    --
    You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
    1. Re:Why not a password hasher? by AmiMoJo · · Score: 4, Informative

      Because password hashers are no more secure than password managers that auto-generate long random passwords. If an attacker steals your master password they still get everything. Due to the requirement to meet password length and other requirements, and to allow for changing compromised passwords you still need a file containing those details. There is no benefit over simply encrypting that file with the master password.

      You are right about online password managers though, they are an absolutely terrible idea as multiple Lastpass breaches go to show. Use an offline password manager, optionally storing the encrypted file in the cloud if you need it to be portable, but with all the decryption happening outside your browser.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Why not a password hasher? by LichtSpektren · · Score: 2

      A password vault like KeePass can utilize both a key file and a master password. Even if my password is keylogged, I have another layer of security insofar that the attacker needs to also be able to access my local drive. The hasher doesn't have this sort of 2FA.

    3. Re:Why not a password hasher? by AmiMoJo · · Score: 2

      True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm.

      Exactly the same as an offline password manager, so no benefit.

      Except this file does not need to be secure in any way.

      It does. If someone has your salt and the URL of the site, and say that site gets compromised so they have the hash of your hash too. Now they can brute force your master password, and then get into every other site you used it with, and your file has a handy list of URLs where it will work.

      It's actually worse than using the master password to encrypt the password file. It's less convenient too; with an encrypted file you can store the user name, secret question answers etc.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Why not a password hasher? by SScorpio · · Score: 3, Interesting

      Say there is a security breach and you are forced to update your password. With your hasher you now need to update every single site to use the new password.

      With a password vault with unique passwords for every site you change the password for that single site and you're done.

  7. Re:FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 4, Funny

    All millennials suck. I hate millennial snowflakes. Just remember your damn passwords and you'll have no trouble. Fuck millennials and their lazy security. Die in a fire.

    Yea guys we millennials should remember our 200 passwords the same way the tech savvy Gen X people do...make them all the same! Or better yet, do what I already see everyone else doing and write them all in a notebook and keep in your top desk drawer. Sooo much better than us millennials and our lazy security...

    True story: somebody told me once that he made all of his passwords his social security number, because he was tired of remembering so many. If the site required letters in addition to numbers, he would suffix it with his initials.

    Even more horrifying than that, his email address was his full name and birth year @ hotmail.com...

  8. Same vulnerability every password manager has by Kinwolf · · Score: 3, Insightful

    So lastpass can be tricked to think he is on the real twitter page. Newsflash, so can a human. So the human will also enter his password on that page, no matter the password manager he use.

  9. Re:cloud password vault is vulnerable by fustakrakich · · Score: 2

    How do you access your locally kept text file when you're not on your local desktop?

    Oh c'mon... Do I really need to spell out where you can keep a local copy?

    --
    “He’s not deformed, he’s just drunk!”
  10. Re:Where is the Bad Summary Tag? by LichtSpektren · · Score: 2

    This problem isn't specific to LastPass. If a bogus site is masquerading as the real site, any system that doesn't have extensive site validation checks will fail, including and especially, remembering passwords.

    The vulnerability isn't just phishing somebody's login. It's exploiting a bug in the LastPass client that allows you to compromise the user's account after phishing for just an individual site password.

  11. Re: FUCK MILLENNIAL SNOWFLAKES by KingMotley · · Score: 2

    No. It uses a standard, well known encryption algorithm - specifically https://en.wikipedia.org/wiki/... and https://en.wikipedia.org/wiki/... as stated here https://lastpass.com/how-it-wo... so the encryption technique isn't security by obscurity. That took a total of 10 minutes to find out, and that isn't what was broken.

  12. Re:cloud password vault is vulnerable by mrchaotica · · Score: 2

    Reading my 30-random-character password off my cellphone and manually typing it in to my desktop is not my idea of a good time. Therefore, I use keepass and store the database on a cloud drive sync'd between systems so I can copy-paste on each.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz