LastPass Bugs Allow Malicious Websites To Steal Passwords

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.

Never use autofill

[vanyel]

This is the sort of thing why I've never let any sort of browser thing do autofill. I have a password manager on my phone and when I need to, I look it up and *type* it in. A minor nuisance, but for frequently used passwords, I then don't need it as I actually remember them. The others are by definition infrequently used.

Though I have to admit, it's the most used feature of my phone. It also means I don't have to worry about synchronizing across many different browsers and computers, or the lack of security having all that in multiple places.

Re:This!

[mattwarden]

I hear you. It's a tough subject. I am pretty paranoid (in the general spectrum, not the slashdot spectrum), and I used KeePass and resisted LastPass for a long time. And I kept my KeePass vault in a TrueCrypt volume. It was a pain in the rear, and useless on my mobile device, and I slowly slid back to password strategies I could remember, which were unique to each site but if one site was compromised an attacker could figure out the pattern.

I did move to LastPass after reviewing managers and reading about how LastPass decrypts your vault locally, and deciding I believe them well enough. Of course that doesn't matter too much, because if they ever wanted my passphrase they could get it and store it when I log in. But again, my point is that there is a balance, and my own behavior when convenience was low was to slide into poor practices. With LastPass, I have a single point of failure, but I'm comfortable with it and outside of that my password practices are much much better.