Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk)

Posted by msmash on from the security-blues dept.

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.

12 of 134 comments (clear)

  1. Re:FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 3, Insightful

    Remembering passwords is terrible security practice. It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.

    Using a password manager is ideal. The problem is using LastPass specifically is dumb; it's proprietary and closed source, so nobody has any idea what's going on with those passwords, nor if the company behind it is using optimal security practices. It plugs into your browser, so the attack surface is basically your entire computer.

    Use a FOSS password manager that store your passwords locally (i.e. does not connect to the Internet) and through an encrypted hash, like KeePass. LastPass is a bad idea on a number of levels.

  2. Re:Expected by Sneftel · · Score: 5, Informative

    The exploit doesn't seem to have anything to do with "the cloud". Once you're logged in to LastPass and your vault is downloaded, password decryption and form filling happen locally.

    --
    The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
  3. Re: FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 4, Informative

    Actually, closed source software is better. If there's a vulnerability in open source software, anyone can look a the source code, find the security holes, and then exploit them. Closed source software is definitely far more secure.

    ... in other words, security by obscurity. That's not a discredited practice or anything.

  4. Not exactly... by myowntrueself · · Score: 4, Interesting

    The headline says 'Lastpass accounts can be completely compromised'.

    But this isn't a method of getting the Lastpass account password itself, its a way of getting passwords for specific sites that the malicious site is trying to get passwords for.

    That isn't 'completely' compromising the Lastpass account.

    --
    In the free world the media isn't government run; the government is media run.
    1. Re:Not exactly... by execthis · · Score: 3, Insightful

      Thank you for the sanity. So many derisive and uninformed posts, so much schadenfreude being shoveled out, and not enough basic factual information.

      Another thing to consider is that a lot of sites seem to be designed that you can't just autofill to login. Nowadays you have to first click a login link which causes a dropdown form to appear.

      I have to ask myself, of the say 10 most frequent sites that I use Lastpass to login to on a regular basis, could any other sites I've visited be ones attempting to maliciously impersonate those sites and steal my credentials? The likelihood is very small.

  5. Why not a password hasher? by ma++i+ude · · Score: 4, Interesting

    Password managers seem like an inherently terrible idea, particularly onlines ones.

    Can someone explain to me why password hashers are not more common? I've used one for years and really can't understand why nobody else does. Take the master password, append (a portion of) the site's domain name, and hash to arrive at a random password. There's only one password to remember, you get a unique strong password for every website, and everything can be done offline without storing anything anywhere. There are extra refinements to create new passwords to replace e.g. compromised ones, or conform to the site's password length and other requirements, but they are trivial. Extensions are available for browsers and mobiles.

    --
    You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
    1. Re:Why not a password hasher? by AmiMoJo · · Score: 4, Informative

      Because password hashers are no more secure than password managers that auto-generate long random passwords. If an attacker steals your master password they still get everything. Due to the requirement to meet password length and other requirements, and to allow for changing compromised passwords you still need a file containing those details. There is no benefit over simply encrypting that file with the master password.

      You are right about online password managers though, they are an absolutely terrible idea as multiple Lastpass breaches go to show. Use an offline password manager, optionally storing the encrypted file in the cloud if you need it to be portable, but with all the decryption happening outside your browser.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Why not a password hasher? by SScorpio · · Score: 3, Interesting

      Say there is a security breach and you are forced to update your password. With your hasher you now need to update every single site to use the new password.

      With a password vault with unique passwords for every site you change the password for that single site and you're done.

  6. Re:Expected by Sneftel · · Score: 5, Informative

    The problem again is LastPass. Nobody knows if their security practices are any good, and the attack surface is huge.

    Well, their online security practices are relatively unknown, but they're also kind of beside the point. Yes, LastPass won't hand out someone's vault without some sort of authentication, but that's just fences around brick walls. The real means of security is in the client, which is the only part capable of decrypting the vault (decryption keys never being uploaded). The client source code is available and has been audited, so you can feel pretty good about that, short of the Ken Thompson hack or the possibility of the local computer itself being hacked (which, of course, would affect any password manager).

    --
    The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
  7. Re:FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 4, Funny

    All millennials suck. I hate millennial snowflakes. Just remember your damn passwords and you'll have no trouble. Fuck millennials and their lazy security. Die in a fire.

    Yea guys we millennials should remember our 200 passwords the same way the tech savvy Gen X people do...make them all the same! Or better yet, do what I already see everyone else doing and write them all in a notebook and keep in your top desk drawer. Sooo much better than us millennials and our lazy security...

    True story: somebody told me once that he made all of his passwords his social security number, because he was tired of remembering so many. If the site required letters in addition to numbers, he would suffix it with his initials.

    Even more horrifying than that, his email address was his full name and birth year @ hotmail.com...

  8. Same vulnerability every password manager has by Kinwolf · · Score: 3, Insightful

    So lastpass can be tricked to think he is on the real twitter page. Newsflash, so can a human. So the human will also enter his password on that page, no matter the password manager he use.

  9. Re:Expected by SScorpio · · Score: 3, Interesting

    If a site has shitty password storage and is compromised that password is leaked and their are bots that try logging into other sites using the same credentials. By having different passwords for different sites you can prevent this.

    There are password vaults that keep everything local if you are worried about security.