Lastpass bug

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
blueman457
Posts: 463
Joined: Sun Jul 26, 2015 12:19 pm

Lastpass bug

Post by blueman457 »

Given the number of last pass users, I thought I'd share about a potentially significant bug in last pass was discovered."

"Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete."

https://arstechnica.com/security/2017/0 ... -managers/
https://blog.lastpass.com/2017/03/secur ... sion.html/

This doesn't change my practice of using lastpass for now: I use it for almost all passwords except for banking/government (which is stored separately). Those critical passwords are stored in encrypted file which apparently is non-trivial to break.

Blue Man
mhalley
Posts: 8522
Joined: Tue Nov 20, 2007 6:02 am

Re: Lastpass bug

Post by mhalley »

This is why I don't put my passwords in the cloud. I use KEEpass, not as convenient but I sleep better.
Loik098
Posts: 681
Joined: Mon May 30, 2016 9:29 pm

Re: Lastpass bug

Post by Loik098 »

Thank you for sharing, although they aren't sharing much info here. Sounds like the issue is just with the browser extension.

I still prefer to use it, for the reason stated at the end of the article:

Ultimately, password managers likely make the average user safer because they make it possible to use long, complex, and unique passwords. And that protects people in the event that their password is exposed in website breaches, which are much more common than real-world password manager exploits.
User avatar
tinscale
Posts: 399
Joined: Thu Dec 17, 2009 11:16 pm
Location: North Carolina

Re: Lastpass bug

Post by tinscale »

Google researcher discovers a vulnerability. I'm sure there are more not yet discovered. :oops:
knight rider
Posts: 22
Joined: Wed Jun 08, 2016 12:06 pm

Re: Lastpass bug

Post by knight rider »

tinscale wrote:Google researcher discovers a vulnerability. That leaves how many undiscovered? :oops:
Who knows. But for the average user, the benefits of using a program like LastPass far outweigh the risk of a bug being discovered by a malicious group. Despite best intentions, people tend to default to repetitive, easy-to-remember passwords when they don't have the help of a tool to store them and generate truly secure passwords.
User avatar
triceratop
Posts: 5838
Joined: Tue Aug 04, 2015 8:20 pm
Location: la la land

Re: Lastpass bug

Post by triceratop »

I use Password store, by zx2c4 and recommend it to those on a unix-based system; I considered systems such as Lastpass but rejected it for reasons that have to do with this bug.

With proper agent configuration the browser plugin for password-store has no special privileges and the GnuPG master password is required to be entered for every unlock of the vault. Moreover, I am able (and have) to easily inspect the bash source for password-store and verify both its simplicity and correctness.
"To play the stock market is to play musical chairs under the chord progression of a bid-ask spread."
User avatar
tinscale
Posts: 399
Joined: Thu Dec 17, 2009 11:16 pm
Location: North Carolina

Re: Lastpass bug

Post by tinscale »

knight rider wrote:
tinscale wrote:Google researcher discovers a vulnerability. That leaves how many undiscovered? :oops:
Who knows. But for the average user, the benefits of using a program like LastPass far outweigh the risk of a bug being discovered by a malicious group. Despite best intentions, people tend to default to repetitive, easy-to-remember passwords when they don't have the help of a tool to store them and generate truly secure passwords.
I agree.
User avatar
TheTimeLord
Posts: 8279
Joined: Fri Jul 26, 2013 2:05 pm

Re: Lastpass bug

Post by TheTimeLord »

blueman457 wrote: LastPass browser extension
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
spammagnet
Posts: 1165
Joined: Wed Apr 27, 2016 9:42 pm

Re: Lastpass bug

Post by spammagnet »

This is not an attempt to convince those who aren't interested in using Lastpass, but here's recent info from the vendor:

https://blog.lastpass.com/2017/03/impor ... sers.html/

"...
Firefox 3.3.2 message-hijacking bug
What you need to know:
  • We recently announced deprecation of the 3.x branch of Firefox prior to this report.
  • We strongly recommend updating to Firefox 4.1.36 from LastPass.com/download. Users can also update to Firefox 3.3.4, however as we noted previously, the 3.x version of LastPass will be retired in the coming weeks.
Website connector bug
What you need to know:
  • We have submitted updates to all affected clients to fully remove this vulnerability and re-released to all users.
  • Chrome and Firefox are live now, while Edge and Opera are awaiting app store approval.
  • As a part of that process, we conducted an exhaustive analysis of every other extension (as well as our installers) that leverage this code.
..."
User avatar
Ged
Posts: 3927
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Lastpass bug

Post by Ged »

mhalley wrote:This is why I don't put my passwords in the cloud. I use KEEpass, not as convenient but I sleep better.
I agree. The idea of having my passwords in the cloud is very discomfiting.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 2:32 pm

Re: Lastpass bug

Post by 2015 »

Ged wrote:
mhalley wrote:This is why I don't put my passwords in the cloud. I use KEEpass, not as convenient but I sleep better.
I agree. The idea of having my passwords in the cloud is very discomfiting.
Another very happy KEEpass user. I've posted before regarding my unease storing anything in the cloud that could be such a juicy, highly lucrative target for hackers. Just because it hasn't happened doesn't mean it won't, and I do believe it's just a matter of time. I'm waiting for the day to say "I told you so", if only to myself.
Topic Author
blueman457
Posts: 463
Joined: Sun Jul 26, 2015 12:19 pm

Re: Lastpass bug

Post by blueman457 »

Again, I technically don't think it's a cloud issue at hand. It's salted/hashed/whatever the correct encryption word is. Here It's more of a implementation on the browser side.

I view it as similar to the Vault 7 regarding the CIA's ability to "break into" the Signal messaging app. Technically, the encryption was strong and secure, it's that the CIA figured out how to capture the message on the smartphone before it was encrypted.
hirlaw
Posts: 376
Joined: Tue Sep 29, 2009 10:20 am

Re: Lastpass bug

Post by hirlaw »

I am concerned about a dishonest employee or principal of the company. Also, I worry about a company going out of business -- how secure will the servers/security be in a liquidation setting.
User avatar
Optimistic
Posts: 331
Joined: Tue Sep 28, 2010 5:05 pm

Re: Lastpass bug

Post by Optimistic »

hirlaw wrote:I am concerned about a dishonest employee or principal of the company. Also, I worry about a company going out of business -- how secure will the servers/security be in a liquidation setting.
From LastPass FAQs
How is LastPass secure and how does it encrypt/decrypt my data safely?
What happens if LastPass disappears?
User avatar
Ged
Posts: 3927
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Lastpass bug

Post by Ged »

2015 wrote:
Ged wrote:
mhalley wrote:This is why I don't put my passwords in the cloud. I use KEEpass, not as convenient but I sleep better.
I agree. The idea of having my passwords in the cloud is very discomfiting.
Another very happy KEEpass user. I've posted before regarding my unease storing anything in the cloud that could be such a juicy, highly lucrative target for hackers. Just because it hasn't happened doesn't mean it won't, and I do believe it's just a matter of time. I'm waiting for the day to say "I told you so", if only to myself.
My problem is that given that abilities of certain Federal Agencies to attack algorithms that are commonly viewed as safe we really don't know anymore what is actually secure.

For example THIS paper:

https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
User avatar
Peculiar_Investor
Posts: 1658
Joined: Thu Oct 20, 2011 12:23 am
Location: Staying home - Calgary, AB
Contact:

Re: Lastpass bug

Post by Peculiar_Investor »

Lastpass is reporting they've resolved the bug, read Security Update for the LastPass Extension | The LastPass Blog for details.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Tycoon
Posts: 1500
Joined: Wed Mar 28, 2012 7:06 pm

Re: Lastpass bug

Post by Tycoon »

Ged wrote:
mhalley wrote:This is why I don't put my passwords in the cloud. I use KEEpass, not as convenient but I sleep better.
I agree. The idea of having my passwords in the cloud is very discomfiting.
Another agreement here.
Emotionless, prognostication free investing. Ignoring the noise and economists since 1979. Getting rich off of "smart people's" behavioral mistakes.
User avatar
Peculiar_Investor
Posts: 1658
Joined: Thu Oct 20, 2011 12:23 am
Location: Staying home - Calgary, AB
Contact:

Re: Lastpass bug

Post by Peculiar_Investor »

Ged wrote:
mhalley wrote:This is why I don't put my passwords in the cloud. I use KEEpass, not as convenient but I sleep better.
I agree. The idea of having my passwords in the cloud is very discomfiting.
As a general policy I keep as little data/information in the cloud as possible. I also want to follow best practices on passwords and have unique, hard to guess passwords for the various accounts/sites that I use. That's a challenge as we all know.

I had previously used my browser's password remembering capabilities, and before that an application that some with long memories might recall, TurboPassword (Chapura). Both were local device solutions that worked OK, but I always questioned the strength of their algorithms and therefore the safety of my data/information.

Lastpass eventually won me over because a) they've been very responsive to security breaches AFAIK and b) although my password vault is stored in the cloud, it is encrypted locally and the encrypted file is then stored in the cloud. I can accept the safety of this method and acknowledge there still is a risk with my data/information being in the cloud.

The alternative that I've seen mentioned here and elsewhere is to use a password manager than only stores the data/information locally. Good so far, but then for portability and re-use on other devices, how to you move the data around? Often it gets uploaded to Dropbox, iCloud, ..., which essentially brings it back to the LastPass model.

Ultimately anything connected to the internet has inherent risks of compromise, the challenge is doing your part to manage those risks in a sensible manner. As others have stated, if you are not using a password manager type application, there is a tendency to re-use id/password pairs to minimize what needs to be remembered. That too has security risks that are often ignored.

My $0.02 (Canadian)
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
Mudpuppy
Posts: 6450
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Lastpass bug

Post by Mudpuppy »

There have been several attacks over the years against browser extensions for LastPass specifically and other password vaults in general. In most cases, this involves somehow fooling the browser extension into thinking you are on XYZ website, when you are actually on ABC website. By using the browser extension to have the convenience of automatically logging in to a site when you visit it, you've opened yourself to the risk that the browser extension is tricked this way.

The simplest solution is to just not use the browser extensions for a password vault. Take the extra 30 seconds to manually cut-and-paste the password from the vault into the website when you want to log in (or the extra minute to manually type it out). Then you don't have to worry about browser extensions being fooled, you just have to worry about you being fooled (e.g. phishing or other social engineering).
Post Reply