Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk)

Posted by msmash on from the security-blues dept.

Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability.

7 of 134 comments (clear)

  1. Re:Expected by Sneftel · · Score: 5, Informative

    The exploit doesn't seem to have anything to do with "the cloud". Once you're logged in to LastPass and your vault is downloaded, password decryption and form filling happen locally.

    --
    The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
  2. Re: FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 4, Informative

    Actually, closed source software is better. If there's a vulnerability in open source software, anyone can look a the source code, find the security holes, and then exploit them. Closed source software is definitely far more secure.

    ... in other words, security by obscurity. That's not a discredited practice or anything.

  3. Not exactly... by myowntrueself · · Score: 4, Interesting

    The headline says 'Lastpass accounts can be completely compromised'.

    But this isn't a method of getting the Lastpass account password itself, its a way of getting passwords for specific sites that the malicious site is trying to get passwords for.

    That isn't 'completely' compromising the Lastpass account.

    --
    In the free world the media isn't government run; the government is media run.
  4. Why not a password hasher? by ma++i+ude · · Score: 4, Interesting

    Password managers seem like an inherently terrible idea, particularly onlines ones.

    Can someone explain to me why password hashers are not more common? I've used one for years and really can't understand why nobody else does. Take the master password, append (a portion of) the site's domain name, and hash to arrive at a random password. There's only one password to remember, you get a unique strong password for every website, and everything can be done offline without storing anything anywhere. There are extra refinements to create new passwords to replace e.g. compromised ones, or conform to the site's password length and other requirements, but they are trivial. Extensions are available for browsers and mobiles.

    --
    You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
    1. Re:Why not a password hasher? by AmiMoJo · · Score: 4, Informative

      Because password hashers are no more secure than password managers that auto-generate long random passwords. If an attacker steals your master password they still get everything. Due to the requirement to meet password length and other requirements, and to allow for changing compromised passwords you still need a file containing those details. There is no benefit over simply encrypting that file with the master password.

      You are right about online password managers though, they are an absolutely terrible idea as multiple Lastpass breaches go to show. Use an offline password manager, optionally storing the encrypted file in the cloud if you need it to be portable, but with all the decryption happening outside your browser.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Re:Expected by Sneftel · · Score: 5, Informative

    The problem again is LastPass. Nobody knows if their security practices are any good, and the attack surface is huge.

    Well, their online security practices are relatively unknown, but they're also kind of beside the point. Yes, LastPass won't hand out someone's vault without some sort of authentication, but that's just fences around brick walls. The real means of security is in the client, which is the only part capable of decrypting the vault (decryption keys never being uploaded). The client source code is available and has been audited, so you can feel pretty good about that, short of the Ken Thompson hack or the possibility of the local computer itself being hacked (which, of course, would affect any password manager).

    --
    The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
  6. Re:FUCK MILLENNIAL SNOWFLAKES by LichtSpektren · · Score: 4, Funny

    All millennials suck. I hate millennial snowflakes. Just remember your damn passwords and you'll have no trouble. Fuck millennials and their lazy security. Die in a fire.

    Yea guys we millennials should remember our 200 passwords the same way the tech savvy Gen X people do...make them all the same! Or better yet, do what I already see everyone else doing and write them all in a notebook and keep in your top desk drawer. Sooo much better than us millennials and our lazy security...

    True story: somebody told me once that he made all of his passwords his social security number, because he was tired of remembering so many. If the site required letters in addition to numbers, he would suffix it with his initials.

    Even more horrifying than that, his email address was his full name and birth year @ hotmail.com...