
LastPass release fix for DOM manipulation vulnerability - taviso
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
======
sillysaurus3
It will be nice when "It's unethical to disclose security vulnerabilities
immediately" mindset fades away:
[https://twitter.com/stits/status/845717835733094401](https://twitter.com/stits/status/845717835733094401)

There's nothing wrong with publishing your findings immediately. It's not up
to a security researcher to do a bunch of unpaid, extra work. Finding a bug is
enough.

Which is better: Finding a bug and bringing attention to it, or someone
malicious finding the bug? The latter is objectively worse, but people keep
trying to punish researchers for not following the third path of "Report it in
private, following strict and lengthy procedures, and make no mention of it
until a timeline of their choosing."

It's a professional courtesy for someone to do that for free, but not a
requirement, and it's certainly not unethical to tweet about it.

~~~
foota
While I'm not sure how keeping the bug secret compares to revealing the bug
immediately in terms of ethicality, I think we can all agree that keeping it
secret for a reasonable amount of time while the company fixes it (unless
there is active evidence of exploitation, or you have significant reason to
believe there is) is strictly more ethical than either of those options.

~~~
throwayedidqo
I disagree. There's always a possibility that someone else already knows about
it and isn't disclosing it. Waiting to disclose will naturally lead a company
to take longer to fix the issue.

Immediately disclosing allows customers to take action to protect themselves
in case someone else is already exploiting the bug. Waiting to disclose is
being peddled by the corporate agenda as "the ethical thing to do" because it
makes vendors look bad.

Here's typically what happens. You disclose a bug, company fixes it for next
release and puts a footnote in the release notes. Nobody ever looks to see if
it was exploited because the instinct is to bury it. Customers aren't widely
notified and the seriousness is downplayed because "the bug is already fixed"
. In the meantime the software was vulnerable for up to three months when it
didn't have to be.

If you disclose immediately there's a temporary panic as everyone does
mitigating measures (which is how it should always be done!!!). the company is
under tremendous pressure to out a patch in a matter of days which they
usually do. Then you get yelled at by the company for making them look bad and
"putting their customers at risk" even though the customers are provably safer
because they were only vulnerable for a few hours

~~~
spectistcles
You're taking an unknown known and making it a known known.

I'd rather an exploit stay secret so there's a chance that someone doesn't use
it against me, rather than telling everyone the exploit and hoping someone
fixes it fast enough.

Disclose it to the company, and give them a hard time limit.

~~~
sillysaurus3
The opinions of people who work in the industry, whose reputations are on the
line, are strongly aligned toward immediate disclosure for fairly persuasive
reasons (see elsewhere in the thread). It makes us all safer to do so, for
example, because you have the option to stop using the affected software.

------
dleibovic
_All of your LastPass browser extensions should be updated to version 4.1.44
or higher_

On firefox, the version I'm using is still 3.3.4, which is the version
available from the mozilla addon store: [https://addons.mozilla.org/en-
US/firefox/addon/lastpass-pass...](https://addons.mozilla.org/en-
US/firefox/addon/lastpass-password-manager/)

Why the discrepancy? Am I still vulnerable? In their blog post, they even
note:

 _We want to thank our partners at Apple, Google, Microsoft, Mozilla, Opera,
Yandex and others who fast-tracked our extension review and release._

~~~
taviso
I believe you have to switch to the "beta" channel, because 3.3.x is
deprecated.

imho, you should do this urgently.

[https://addons.mozilla.org/en-Us/firefox/addon/lastpass-
pass...](https://addons.mozilla.org/en-Us/firefox/addon/lastpass-password-
manager/versions/beta)

[https://blog.lastpass.com/2017/03/plans-to-retire-the-
lastpa...](https://blog.lastpass.com/2017/03/plans-to-retire-the-
lastpass-3-3-2-firefox-add-on.html/)

~~~
Steeeve
I've been trying out lastpass for a few weeks. I downloaded the extension that
their website directed me to. Because of this discussion, I did a version
check and lo and behold, it defaults to NOT auto-update.

Luckily I've been using it only for a few unimportant sites. They've had two
security issues disclosed since I started my trial. I'm impressed with the
functionality. I'm decidedly unimpressed with the security experience.

~~~
Nexxxeh
I am a heavy LastPass user, but I've stopped using the browser plugins, and
just copy and paste into my browser (or look up on my phone and manually type
on my laptop/desktop). C&P'ing is also a bit risky as LP seems to lack a clear
clipboard option on Android.

I have a month left on my paid subscription. I think I'll be leaving for a
competing product shortly.

~~~
mistermann
Have you made a decision, cuz I'm a new LastPass user and to me I find it
clunky (not to mention it causes constant mouse flickering at times).

~~~
Nexxxeh
Not yet. I'm thinking of trying 1Password or something KeePassX-based, maybe
with Google Drive or Dropbox for the syncing.

------
zaatar
Related bug: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1225)

------
yladiz
I want to ask a serious question: considering there have been some major
issues with LastPass, like this one, showing up in recent memory, why do
people (at least here on HN) stick with it despite these major issues? There
are other options out there, depending on your use case (I use 1Password,
which seems to have fared much better as far as vulnerabilities), so why keep
the same software when vulnerabilities continue to be found in it? Is there a
special feature in LastPass?

~~~
arjie
I'm comfortable using software that has been thoroughly vetted by expert
security engineers. I am even more comforted by the fact that LastPass
responds rapidly to Tavis Ormandy's reports (and presumably others). I'll use
the guys who are extensively studied and do all right over the guys who are
less so.

It's like choosing a 4 ⭐️ product with 5000 reviews over a 5 ⭐️ product with
3.

~~~
TheDong
That's not an apt comparison.

Every security expert I've spoken to about password managers recommends
against lastpass. Typically they recommend 1password, or passwordstore or
sometimes even keepass.

The more apt comparison is a product with 100 2 star reviews vs one with 1000
4 star reviews.

1password has more recommendations by security engineers, and has been
reviewed in significant depth.

Lastpass has been reviewed in depth, but is rarely recommended by the same
engineers.

~~~
DiNovi
I like the idea that you are just walking around asking security engineers for
password managers

~~~
tptacek
That comment is not wrong.

------
fencepost
My most sensitive passwords aren't in LastPass (or anywhere else for that
matter) and don't overlap with any that are, but an awful lot are for less
important sites.

One thing I like about this is Tavis' comment on Twitter on 3/25 that it's a
major structural issue and they have 90 days to fix it. 6 days later, resolved
and confirmed so.

------
csours
Software needs to be

Secure by Design

Secure by Default

Secure by Deployment

I can't comment on Deployment, but the defaults are not secure (defaults to
autofill info), and it's not secure by design - surface area is much too
large.

For me to trust lastpass, I will have to see real changes on those.

~~~
scrollaway
I highly recommend KeepassX instead.
[https://www.keepassx.org/](https://www.keepassx.org/)

It's a local db only, you're in full control of where it is, where it goes.
It's one of my favourite pieces of software actually: Simple enough that my
aunt is using it, secure enough that I'm using it for my company's accounts.

~~~
interfixus
KeePassXC is a fork of the 1.x version. Fixes all the annoyances that the
official 2.x series somehow never got around to. Recommended.

[https://keepassxc.org/](https://keepassxc.org/)

~~~
scrollaway
xc is a fork of the 2.x series. I would _possibly_ recommend it, but it's less
battle-tested and they're aiming to enable the HTTP server by default which I
think is a mistake. I'm using it, but disabling that stuff.

(Either way the databases are compatible with one-another, so it's up to you
what client you use)

~~~
interfixus
You're right. I'm thinking 1.x because it has kept and augmented all the
useful 1.x behavior which the regular 2.x somehow managed to butcher.

------
simopaa
As I finally decided to move away from LastPass (giving Enpass a shot) and
tried to delete my account, I noticed in the advanced settings that the option
"Keep track of login and form fill history" was automatically turned on. This
may be just to show you the "most recent logins" in the app, but nonetheless I
think this setting should've been a bit more easier to access

------
ikeboy
Site seems to be relying on javascript or something to load: with umatrix on,
I can only see the first page and can't scroll down.

~~~
jwilk
If you disable page style, you can read it whithout JS enabled.

------
jbg_
Why on earth do people who read HN keep their passwords in a cloud service?
pass/gopass, stored in git over ssh on a server I control, and I have access
to all my passwords everywhere while only relying on the security of ssh and
gpg...

~~~
Dayshine
I trust a company whose existence depends on keeping my passwords secure over
my own ability to keep my personal server secure.

It's not just ssh and gpg, it's every single service you have running on it,
every piece of hardware and the OS itself.

~~~
jbg_
No. If gpg does its job you could even host the passwords in a public github
repository. Several pass users do this; I used to, but my server has better
availability than github over the last few years so I switched after being
frustrated at not being able to sync new passwords to my phone a couple of
times.

~~~
jbg_
So, to be fair, I misspoke when I said I rely on the security of gpg AND ssh.
Really, it all comes down to the security of gpg. I feel pretty okay about
that.

~~~
nrook
Surely you mean "pretty good"?

~~~
jbg_
Yes. In my variant of English they mean the same thing :)

~~~
dewey
Pretty sure he was referring to
[https://en.wikipedia.org/wiki/Pretty_Good_Privacy](https://en.wikipedia.org/wiki/Pretty_Good_Privacy)
;)

------
dewiz
Too late, I decided to take the opportunity and renew my passwords and store
them offline. I'm giving Enpass a try before reverting to the well known
keepassx

------
dguido
LastPass is a tire fire. How many exploitable vulnerabilities in a password
manager do people need to drop as 0day to kill this company? Why is it that we
continue to tolerate products that routinely violate the sales claims they
make? Start actively telling your friends to stop using LastPass and switch to
a better password manager.

~~~
paulryanrogers
Which do you recommend? Which for non technical users who can barely manage
LastPass?

~~~
TheDong
1Password.

Just like most security folks recommend.

It's damn usable too.

~~~
Steeeve
Except on Android, where it requires you to use a poor custom keyboard. Which
means that you have to either build your own keyboard switching functionality
or go through a ridiculous dance every time you want to use it.

~~~
kyrra
That is being fixed in Android O. 1password even has a demo show off the
content fill on the dev release of O.

------
bertlequant
Oh the number of people I see using LP at or through work...

