LastPass Bugs Allow Malicious Websites To Steal Passwords

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.

Keep passwords away from web browser integration

[0x537461746943]

I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.

Re:It's sooo easy!

[Daemonik]

Nobody has to hack YOU, they hack the website you log into and download all their passwords then just keep trying those password/username combinations on other websites until they crack another one over and over again. You individually aren't worth much other than a shim to try to break into the next web server. Your accounts could be shared all over Russian hacking circles and you'd never know until the website you use reports a break in that might include your login.

Smug people are just victims who don't know it yet.

Re:Simple solution

Copy and paste works fine, but beware of the risk of other scripts within the login webpage and other open browser tabs accessing the clipboard.

To digress a bit, but related to this topic. Slashdot has jumped the shark with ads in recent months. Makes one wonder how secure Slashdot is serving up hundreds (really! 392 at the moment, but seen it upwards of 500 already) of cookies and numerous trackers. Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, it's within the realm of possibility of rogue scripts being served with Slashdot to scarf up clipboard data, passwords, etc in hopes of hacking well known websites that Slashdot users do work for.

Bottom line, be wary of having Slashdot open in a separate tab while doing anything sensitive. Likewise for many other sites that serve up obnoxious ads. Use of an blocker can help, but isn't fully comprehensive security in and of itself...

Ironically, in light of the above issues, use of a password manager, whether cloud based or not, is likely safer than copy and pasting from a local text file.

Allowed. Not allows

[Gojira+Shipi-Taro]

Bugs have already been patched. Stop with the FUD please. Yea it's bad they existed, but they're gone.

This!

[s.petry]

I know of companies (perhaps even my current) which recommends people use LastPass over KeePass/KeePassX. The fact that they recommend a person use a password generator is good, but anything in the Cloud means that you _DO_NOT_ have physical control of the system storing passwords. The First rule of security is that you must have physical control of everything. All other Security rules come after that one.

The Company problem is a symptom of promoting "marketing geniuses" and "number crunchers" to be in charge of Security, instead of promoting Security geniuses to be in charge of Security. As a security expert I have some great horror stories about bad decisions, and can tell you that stock options are constantly ready to be sold.

3 articles referencing the same statement, misunde

[raymorris]

The three articles you posted were all about what Lorrie Cranor said, but you seem to misunderstand what she said. Cranor did NOT say that it's a bad idea to change YOUR password.

What Cranor said is that there are downsides to forcing everyone to change their password every month or so.

People will not remember a new password every month, so if forced to "change" it monthly they'll either write it on a Post-It note or just use [password]1, [password]2, [password]3, etc, not really changing the password, Cranor said. She's not wrong - there absolutely is a limit to how *often* you should *force* people to change their password.

Also, leaks happen, leaks with millions of accounts, so you will be safer if you change your password *ocassionally*. I use a system in which I can change my password 6-12 months, without having to remember a new password. Another fact about passwords is that the safe length for a password keeps getting longer - I now normally call it a "pass phrase". When I started in security, an eight-character password was considered secure. So what I do is every so often I add a couple characters to my base password.

Imagine in 1998 maybe I could have used "pallFurt" as my base password. In 2000 I'd start using "pallFurt!?". In 2002, "4pallFurt!?". In 2004, "4pallFurt!?Dh". So I don't have to remember something completely different each time, but password changes, meaning dumps from old sites don't have my current password (besides it's slightly different for each site).