th3rEsa Posted July 27, 2016 Share Posted July 27, 2016 You better stop using it. Now. Here's the whole story: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ Link to comment Share on other sites More sharing options...
Stokkolm Posted July 27, 2016 Share Posted July 27, 2016 States that it's already fixed. Additionally, it was only exploitable with physical access to a logged in machine. I'll keep using it. Link to comment Share on other sites More sharing options...
+rdlenk Subscriber² Posted July 27, 2016 Subscriber² Share Posted July 27, 2016 RegEx is tough. Sounds like it has already been fixed and was fixed very fast (as it should be, pretty stupid error but easy to fix). I disable autofill anyways, this won't change my opinion of LastPass. Great product and a great company that approaches security flaws and vulnerabilities very professionally, quickly, and transparently. As long as you didn't go to a very oddly formatted URL or had autofill disabled or used multi-factor authentication you were fine. Link to comment Share on other sites More sharing options...
th3rEsa Posted July 27, 2016 Author Share Posted July 27, 2016 It was not their first security breach. Just a gentle reminder that the cloud is not a good place for your passwords. Raa 1 Share Link to comment Share on other sites More sharing options...
Haggis Veteran Posted July 27, 2016 Veteran Share Posted July 27, 2016 25 minutes ago, th3rEsa said: It was not their first security breach. Just a gentle reminder that the cloud is not a good place for your passwords. yeah would be better just to write them down /sarcasm There no point in using apassword manager and then using auto fill, you would be aswell just giving anyone with access to your device the password Link to comment Share on other sites More sharing options...
th3rEsa Posted July 27, 2016 Author Share Posted July 27, 2016 There is something between "using no computer" and "using other people's computers". Link to comment Share on other sites More sharing options...
BajiRav Posted July 27, 2016 Share Posted July 27, 2016 Don't use autofill and have two factor. I guess I can live with a little risk for the convenience. Link to comment Share on other sites More sharing options...
Tuskd Posted July 27, 2016 Share Posted July 27, 2016 Or use Dashlane Link to comment Share on other sites More sharing options...
Zlain Posted July 27, 2016 Share Posted July 27, 2016 So if you don't use autofil, do you manually and paste your usernames and passwords? Wouldn't that just store your passwords locally on your PC in your copy clipboard or something? Link to comment Share on other sites More sharing options...
th3rEsa Posted July 27, 2016 Author Share Posted July 27, 2016 I usually use KeePass which empties my clipboard after a few seconds. I wanted to switch away from KeePass because of the "ads are more important than security" thing, but the author fixed it some time later. Link to comment Share on other sites More sharing options...
HawkMan Posted July 27, 2016 Share Posted July 27, 2016 I like how the title is something completely misleading instead of the correct "Lastpass fixed unknown weakness in less than 10 hours after being informed" It's not even the title of the article it's linking to.. trag3dy 1 Share Link to comment Share on other sites More sharing options...
exotoxic Posted July 27, 2016 Share Posted July 27, 2016 3 hours ago, Zlain said: Wouldn't that just store your passwords locally on your PC in your copy clipboard or something? Passwords are removed from the clipboard after 30 seconds, it's still an issue but not localised to LastPass. Link to comment Share on other sites More sharing options...
1337ish Posted July 27, 2016 Share Posted July 27, 2016 LastPass report: https://blog.lastpass.com/2016/07/lastpass-security-updates.html/ Link to comment Share on other sites More sharing options...
th3rEsa Posted July 27, 2016 Author Share Posted July 27, 2016 "Once more people who stored their secret data on our computers were in danger" blah blah. Link to comment Share on other sites More sharing options...
+LogicalApex MVC Posted July 27, 2016 MVC Share Posted July 27, 2016 5 hours ago, Stokkolm said: States that it's already fixed. Additionally, it was only exploitable with physical access to a logged in machine. I'll keep using it. Why do you think this was only exploitable with local access? This was exploitable using a specially crafted URL which could be accessed as a silent redirection link... Like a link in a FB comment that redirects you to a NY Times article you're expecting after first siphoning a password or two. This was a pretty big hole... Nice that it was fixed fast on responsible disclosure, but concerning as depending on how long that code has been there this could have been actively being exploited in the wild. 5 hours ago, rdlenk said: RegEx is tough. Sounds like it has already been fixed and was fixed very fast (as it should be, pretty stupid error but easy to fix). I disable autofill anyways, this won't change my opinion of LastPass. Great product and a great company that approaches security flaws and vulnerabilities very professionally, quickly, and transparently. As long as you didn't go to a very oddly formatted URL or had autofill disabled or used multi-factor authentication you were fine. I don't use LastPass and the payout for this exploit being responsibly shared with them will keep it that way. Being able to steal any password from the user's password store should be considered a major exploit by them and justify more than a $1K bounty payout. Otherwise, you encourage people who find these sort of things to sell them off instead of responsibly reporting them. That should give you a strong pause for concern. th3rEsa 1 Share Link to comment Share on other sites More sharing options...
HawkMan Posted July 27, 2016 Share Posted July 27, 2016 5 hours ago, Haggis said: yeah would be better just to write them down /sarcasm There no point in using apassword manager and then using auto fill, you would be aswell just giving anyone with access to your device the password As a mod, shouldn't you fix the fact that he's using an inaccurate title that is not the original title of the article he linked to ? Link to comment Share on other sites More sharing options...
Joshie Posted July 27, 2016 Share Posted July 27, 2016 6 hours ago, th3rEsa said: You better stop using it. Now. No thanks, I'll keep using it because I read the article and realized this doesn't affect me. But that extra "now" was a nice touch. On its own line and everything. Almost makes it look like you're personally invested. Link to comment Share on other sites More sharing options...
xendrome Posted July 27, 2016 Share Posted July 27, 2016 6 hours ago, th3rEsa said: It was not their first security breach. Just a gentle reminder that the cloud is not a good place for your passwords. Cloud had nothing to do with it, you needed physical access to a computer with the extension installed, and logged into the account with the master password. This doesn't even make any sense, cause if you had physical access plus the LastPass toolbar was logged in already with the master password, you could just browse the passwords in the vault using the extension. Haggis 1 Share Link to comment Share on other sites More sharing options...
+Gary7 Subscriber² Posted July 27, 2016 Subscriber² Share Posted July 27, 2016 I store my own passwords in a secured folder with it's own password. The cloud has a great deal to do with it, I trust nothing in the "Cloud" th3rEsa 1 Share Link to comment Share on other sites More sharing options...
HawkMan Posted July 27, 2016 Share Posted July 27, 2016 1 minute ago, Gary7 said: I store my own passwords in a secured folder with it's own password. The cloud has a great deal to do with it, I trust nothing in the "Cloud" ironically, a hacker that's targeting you(which is the only one who would have any use of this type of attack) would find it far easier to get access to that, than the data you store in the scary cloud. Anibal P 1 Share Link to comment Share on other sites More sharing options...
+Gary7 Subscriber² Posted July 27, 2016 Subscriber² Share Posted July 27, 2016 Just now, HawkMan said: ironically, a hacker that's targeting you(which is the only one who would have any use of this type of attack) would find it far easier to get access to that, than the data you store in the scary cloud. What is the chance of a hacker attacking me, I am an obscure user with zero important data, average users are not normally attacked, I have never been and I do not know anyone else that has been. My Brother in Law went for 5 years without even using an AV or firewall or a router and , although I thought he was nuts, his machine was clean. Link to comment Share on other sites More sharing options...
HawkMan Posted July 27, 2016 Share Posted July 27, 2016 (edited) 9 minutes ago, Gary7 said: What is the chance of a hacker attacking me, I am an obscure user with zero important data, average users are not normally attacked, I have never been and I do not know anyone else that has been. My Brother in Law went for 5 years without even using an AV or firewall or a router and , although I thought he was nuts, his machine was clean. Exactly, what is the chance of a hacker attacking/targeting you. hence the lastpass cloud is safe. Also you're brother in law is what's called a lucky ... well something. Link to comment Share on other sites More sharing options...
Stokkolm Posted July 29, 2016 Share Posted July 29, 2016 (edited) On 7/27/2016 at 2:23 PM, LogicalApex said: Being able to steal any password from the user's password store should be considered a major exploit by them and justify more than a $1K bounty payout. Otherwise, you encourage people who find these sort of things to sell them off instead of responsibly reporting them. That should give you a strong pause for concern. I noticed in your profile block you use an iPhone. Did you know Apple pays exactly $0 in bounty payouts? Link to comment Share on other sites More sharing options...
+LogicalApex MVC Posted July 29, 2016 MVC Share Posted July 29, 2016 1 hour ago, Stokkolm said: I noticed in your profile block you use an iPhone. Did you know Apple pays exactly $0 in bounty payouts? I agree the lack of a bug bounty program by Apple is something that needs to change for the same reasons I cited as being problematic for the low payouts under LastPass' program. Of course, the difference for me in terms of usage is I don't store the keys to my digital life, as my usernames and passwords are, on their servers. I keep that in my KeePass file which is only accessed via SFTP on a server in my basement... Link to comment Share on other sites More sharing options...
User6060 Posted July 29, 2016 Share Posted July 29, 2016 how about people just remember their own passwords. we used to also remember phone numbers and driving directions Osiris 1 Share Link to comment Share on other sites More sharing options...
Recommended Posts