
LastPass: design flaw in communication to privileged components - pedro84
https://bugs.chromium.org/p/project-zero/issues/detail?id=884
======
mentat
Agree with the comment that the blogger doesn't understand what phishing is.
This could be done against a huge number of people through various approaches
with ad network code or targeted attacks controlling path to internet. That's
all setting aside how trivial it would be for nation states.

~~~
bqe
They have a history of trying to explain away their security problems as not
really their fault. That alone should give any LastPass user pause.

~~~
bad_user
That's unfair. LastPass has always been transparent about their problems, much
more so than other companies like Dropbox.

And there's nothing in their response that tries shifting the blame:
[https://blog.lastpass.com/2016/07/lastpass-security-
updates....](https://blog.lastpass.com/2016/07/lastpass-security-
updates.html/)

~~~
mentat
> Beware of phishing attacks. Do not click on links from people you don’t
> know, or that seem out of character from your trusted contacts and
> companies.

This was not necessary for this attack to be successful on the default
configuration of the tool. That's what I take issue with.

------
mikkom
So this post says

> We have verified that intercepting messages via the method you suggested is
> possible and is a problem. We have also verified it only affects firefox
> (chrome, ie, safari, opera, etc do not use the window for message passing in
> the same manner) and doesn't affect our primary addons.mozilla.org firefox
> download (which is still 3.0 version).

It seems latest version for windows is 4.1.20a? As I'm both linux and firefox
user and there have been 2 password stealing exploits revealed I would very
much like to know if this affects me (my version seems to be 3.3.1). Is there
any version history that I could check or does anyone know what versions are
affected by these 2 exploits?

~~~
keksdev
They say version 3.0 is not affected by this:

> If you are running LastPass 3.0, you are not impacted and do not need to
> update.

As far as I know, 3.0 refers to their old interface. You can download the new
version directly from their website, but not through the Firefox add-on site.
The version history is available here [1].

[1] [https://lastpass.com/upgrade.php](https://lastpass.com/upgrade.php)

------
Accacin
So, I've been using Lastpass for a few years now and I probably rely on it too
much. Every single login has a unique and strong password so it would be a
pain to have to move away.

I use a Yubikey that's required when I log into a new PC (my home pc is set to
only ask every 30 days for my 2FA key), I use an email that is only connected
to Lastpass and I have a strong passphrase. Any other device I use Lastpass on
is set to require a password and 2FA key at each start.

Is that enough to make me reasonably secure?

~~~
ciucanu
It should be safe enough, with a few exceptions, one of those being this
exploit:
[https://news.ycombinator.com/item?id=12171547](https://news.ycombinator.com/item?id=12171547)

This guy says that if the webpage "asks" for another's page credentials,
lastpass plugin will give it. Every character/keystroke in specific fields
could be catched/logged , here you have an example from ... eBay :
[https://news.ycombinator.com/item?id=12000820](https://news.ycombinator.com/item?id=12000820)

Anyway, this was already fixed and pushed to the users, as the guy mentions in
his post.

------
JumpCrisscross
Has LastPass ever subjected their code to a proper, outside security audit in
a form tptacek would endorse?

------
cottsak
This is not the same as [https://labs.detectify.com/2016/07/27/how-i-made-
lastpass-gi...](https://labs.detectify.com/2016/07/27/how-i-made-lastpass-
give-me-all-your-passwords/) is it?

~~~
mintplant
No, the two disclosures just happened to come at the same time.

~~~
jessaustin
Wow, a bad day for them. Two different awful bugs on the front page.

~~~
breakingcups
Up until now I wasn't aware there were two issues, I saw two very similar
titles on the front page and assumed it was about the same issue.

Might work out better for them than having one issue appear a week later.

------
mdesq
I wonder how the Citrix acquisition/merger will affect LastPass, especially
some of the security aspects.

------
kevin_thibedeau
Password managers exchange a strong secret, something you know, for a weak
one, something you have. Once an attacker gets to your database you're
completely owned. When they compromise a normal password the damage is more
contained if you maintain reasonable security practices.

~~~
pfg
Just about any scenario I can think of where the attacker could get to "what
you have", by which I assume you mean the unencrypted password database (i.e.
what you have _after you entered something you know_ , since the whole point
of a password manager is to have one strong password that you need to
remember, instead of tens or hundreds probably-not-so-strong individual
passwords), would also be a game-over scenario if you keep all your passwords
in your head, since the attacker could just run a keylogger and take the
passwords as you type them during regular use instead of getting your
unencrypted password database after you unlock it.

~~~
geofft
Yes, exactly. I have never understood the prevalence of threat models of the
form "if an attacker gets full, unrestricted access to my running session,
they still won't be able to ..." or "if an attacker gets me to run code, they
won't figure out ...". They make no sense, unless the attacker is stupid.

To be fair, there are a lot of script kiddies in the world.

