LastPass Bugs Allow Malicious Websites To Steal Passwords

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.

Keep passwords away from web browser integration

[0x537461746943]

I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:KeePass FTW!

[PhrostyMcByte]

I'll second KeePass. Not just because it's what I use, but because it takes serious measures to protect your data. Anyone can make a functioning password safe, but the way KeePass does it shows it was designed with an eye toward security. As a dev, I can appreciate it.

A browser extension? Really? Your OS has a massive, old, reliable security feature in that one process can not easily access the memory of another process, and you choose to not use that and instead build support directly into the largest attack vector on your PC, the browser?

Re:Simple solution

Copy and paste works fine, but beware of the risk of other scripts within the login webpage and other open browser tabs accessing the clipboard.

To digress a bit, but related to this topic. Slashdot has jumped the shark with ads in recent months. Makes one wonder how secure Slashdot is serving up hundreds (really! 392 at the moment, but seen it upwards of 500 already) of cookies and numerous trackers. Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, it's within the realm of possibility of rogue scripts being served with Slashdot to scarf up clipboard data, passwords, etc in hopes of hacking well known websites that Slashdot users do work for.

Bottom line, be wary of having Slashdot open in a separate tab while doing anything sensitive. Likewise for many other sites that serve up obnoxious ads. Use of an blocker can help, but isn't fully comprehensive security in and of itself...

Ironically, in light of the above issues, use of a password manager, whether cloud based or not, is likely safer than copy and pasting from a local text file.