
LastPass bug leaks credentials from previous site - Daviey
https://www.zdnet.com/article/lastpass-bug-leaks-credentials-from-previous-site/
======
latchkey
Switched to BitWarden a few months ago from _years_ of using LastPass. Zero
regrets... it is in every way better for my use case. Switching wasn't hard
either. Even gave BW my money, it is worth supporting them.

~~~
buildzr
I'm avoiding the browser extensions, they seem to be a security nightmare.
KeePass and similar are a better way to go, if slightly more labor intensive.

~~~
tobib
> KeePass and similar are a better way to go, if slightly more labor
> intensive.

Slightly? Just thinking about the synchronization between machines makes this
an understatement in my opinion.

~~~
gnud
I store the keepass file in a cloud sync service. The file is encrypted.

The keepass application can perform "auto-type" which works for all sensible
applications and websites that have username/password input fields and a log-
in button.

Recently, more and more websites split the log-in into two screens, first
email and then password. This completely breaks auto-type and is horrible in
every way. Please don't do it.

~~~
tobib
This works if your environment allows a) installing applications and b) cloud
sync using consumer clouds (dropbox, gdrive, etc

You are right that this is a good approach for many it will certainly break
for many as well.

~~~
kllrnohj
> This works if your environment allows a) installing applications and b)
> cloud sync using consumer clouds (dropbox, gdrive, etc

Re a) [https://keeweb.info/](https://keeweb.info/) toss this onto any ol' free
tier web host you want. No app install necessary. It's not as nice as the
apps, but it works.

Re b) Is there an environment that both has a web browser that you want
password management with _and_ doesn't let you access any consumer cloud sync
service?

~~~
tobib
There sure is. Most big companies work that way I would imagine. I can install
browser extensions, no problem but local apps are restricted. Also Dropbox and
others are blocked at the corporate firewall level.

~~~
tripzilch
Surely in such a place, blocking all that access means they care about
security and therefore provide you with a password management solution that
you also have no choice over.

I mean, installing browser extensions to deliberately get around their
security measures seems a little bit counterproductive. They aren't more
secure than local apps. Do you take this company's security measures seriously
or is it just some hurdle to get around for you?

------
gorhill
The bug report says:

    
    
        by iframing popupfilltab.html (i.e. via moz-extension, 
        ms-browser-extension, chrome-extension, etc). It's a
        valid web_accessible_resource.
        [...]
        y.src="chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html";
        // or y.src="moz-extension://...";
    

My understanding is that this should not work with the Firefox version of
LastPass, since each installation of the extension is given a unique id which
can't be guessed by web pages -- that is unless the unique id is made visible
to web pages by the extension itself.

~~~
P_I_Staker
I have not read the article in detail, but earlier news stories I've seen said
that not all platforms were effected. Chrome and I believe Opera were
mentioned, but not firefox.

------
loteck
It's interesting to note that browser extensions continue to be the primary
point of vulnerability for password management solutions. IIRC, it's been
quite a long time since vaults themselves were breached.

It is an undeniably more secure option to use password managers without their
associated extensions. Certainly less convenient, but ponder carefully your
threat model.

~~~
mook
Unfortunately the browsers persist in not providing the necessary APIs to
allow the password managers to work safely.

The Mozilla bug (1344788) has been open for three years with no meaningful
action in 2. It's been stuck waiting for security review, with nobody
empowered to do it.

------
rkagerer
They listed it as "Security: Minor bug fixes" in their release notes (v4.33.0,
[https://lastpass.com/upgrade.php?fromwebsite=1&releasenotes=...](https://lastpass.com/upgrade.php?fromwebsite=1&releasenotes=1))

Leakage of credentials seems like more than a "minor" bug - particularly for
software whose whole purpose is to securely store those credentials.

~~~
ggg3
well, users already leave passwords in the clipboard as normal usage...

------
w8rbt
This is one reason why I believe that browser based password managers are
flawed. I've written about this in the past (link below). These apps are
popular with normal people (due to convenience), but long-term, we should not
trust web browsers plugins or add-ons as password managers.

[https://github.com/w8rbt/dpg#why-traditional-password-
manage...](https://github.com/w8rbt/dpg#why-traditional-password-managers-are-
flawed)

~~~
CJefferson
While in browser password managers have drawbacks, they have the big advantage
that they stop fishing / fake domain attacks. I think I'm much mor likely to
fall for one of those, than my password manager get hacked.

Also, generating all passwords off one master password deterministicly sounds
like an awful, awful idea. If someone manages to get one of my passwords, they
can try performing an offline attack against the encoding password. If they
succeed, they have everything.

~~~
w8rbt
It's 2^15 rounds of pbkdf2 with long inputs. There is no master password as
nothing is stored. Good luck.

------
dzhiurgis
Classic LastPass. Shoddiest pw manager out there with history of editing wiki
pages to hide their sad track record.

~~~
nailer
Interested in this. Got a link?

~~~
dzhiurgis
I've described it here:
[https://news.ycombinator.com/item?id=15756044](https://news.ycombinator.com/item?id=15756044)

------
celticmusic
Is that true about LastPass being the most popular password manager?

I just can't imagine it, I'm forced to use it with a client, and it has hands
down the worst UI experience I've ever seen.

~~~
paulddraper
Long time last pass user...what do you recommend?

Team of 15-30 people, need shared username/password credentials for web, FTP,
and DB systems. Also other arbitrary secure "notes", e.g. SSH key. Needs 2FA
as well.

~~~
nathancahill
1Password is quite nice. Migrated a team from LastPass to 1Password recently,
the experience was very smooth.

------
a-ve
I quit LastPass when they were acquired by LogmeIn and doubled their prices to
$24 a year, and their constant issues with autofill (atleast for websites in
my country).

I switched to Bitwarden and haven't faced an issue since.

~~~
ainiriand
Even worse, before it was just 12$ and now it is 24$ before taxes so you end
up paying 29,52$. A 246% increase.

~~~
_salmon
People are really complaining about this, but honestly the features I get from
the product absolutely justify paying $2/month. I'd probably pay $3-4 before
it wouldn't become worth it for me

~~~
jdofaz
For me they have tripled the price since I first subscribed and the bugs
aren't getting fixed.

I'm tired of the fill problems on iOS and Firefox and the price increases
compound my irritation.

------
tastroder
Was prepared to change all my darn credentials when clicking on that. For
those clicking the comments first, the byline is: "LastPass has released a fix
last week. Vulnerability details are now public. Users advised to update."

~~~
wglb
For something that has such a long trail of vulnerabilities, I don't recommend
LastPass to family friends and business associates. Use 1Password instead, or
pass.

Just one example (this one from 2017) of many:
[https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1225). Fundamental architectural flaws.

For more HN references, see
[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=lastpass%20vulnerability&sort=byDate&type=story)

~~~
kretor
Tavis Ormandy, who discovered the latest and several other Lastpass bugs, has
these password manager recommendations:

"KeePass and KeePassX are both good choices. If you really must use an online
one, at least LastPass are responsive to researchers and have a competent
security team, I would use them."

Asked about the experience he had reporting a 1Password vulnerability, he
says:

"Astonishingly bad"

(source:
[https://twitter.com/taviso/status/1167311357957435392](https://twitter.com/taviso/status/1167311357957435392))

------
ifcho
I have been using enpass, and I'm very satisfied. I was a LastPass user once,
but never trusted their security model. Then switched to 1password, but the
lack of good multiplatform support and their push to a cloud model made me
look for alternatives. What I want is support for Mac, Windows, Linux, and
Android; possibly one time payment; and local storage (most important). For
syncing I use my own nextpass cloud. Bitwarden is close, but enpass fullfills
all.

~~~
rolltiide
I’m still using non-cloud 1password but I cant recommend it to anyone else or
my employees because of the forced cloud thing

~~~
gr2020
FYI, 1Password doesn’t force you to use their cloud service. Even if you
subscribe (as opposed to standalone), you still don’t have to actually use it.
I switched from an older standalone version to the current subscription
version, but I’m not using their cloud service to sync my vault.

~~~
gr8pes
Can you point me to some documentation that describes how to get rid of the
subscription cloud service? I just want a one time fee to purchase 1P and then
I want to just iCloud sync my 1P vaults.

------
danielsmay1
I've been very disappointed with LastPass in the past year or so. I've had
multiple instances where it doesn't actually save a password or secure note
that I tried to save. This has caused me a lot of stress the few times it
happened, including one login permanently.

Sadly I paid for a 10 year plan and have 4 years to go. Saved me some money,
but for what product? I use 1Password for work, and it is MUCH better than
LastPass.

------
nerdjon
I am seriously considering alternatives to LastPass.

Since they moved to a dedicated app instead of just a plugin on Mac, it is
borderline unusable for me.

Almost never actually fills in my passwords (often have to click copy
password), often thinks I am on a different website than I am, or just gives
me an empty white box when I click the LastPass button.

~~~
simcop2387
While it's definitely more work to setup, I've been using KeePassXC +
NextCloud for syncing. I've got it working on my phone with keepass2android
(think that's the name) and also use a yubikey challenge-response key to help
ensure that even with a bad password i've got decent protection of my
passwords. There's browser extensions for basically every browser out there,
and it even supports auto-typing into non-browser based applications (though I
can't say I use that feature myself).

~~~
acidburnNSA
I've been using something very similar, though I only have a local keyfile
that I independently put on my synced machines rather than the yubikey thing.
How do you like the yubikey process? Not too much of a pain?

~~~
simcop2387
Not much of an issue at all, it does mean that when i need to unlock my
manager or save the database, i have to have my [physical] keys around but
it's otherwise not an issue. I've got two duplicated yubikeys for it, a neo
with nfc and a 5 with usb-c. I generally use the neo for everything but needed
the usb-c one for laptops with no USB-A ports and my tablet which also has no
USB-A or NFC. Just the march of progress.

They get used by KeePassXC in yubico challenge-response mode, which I believe
works as follows, take the HMAC(KDF(password), nonce) and use it as the
challenge to the yubikey, and the response that's returned is the master key
for the database. That's why it needs the yubikey whenever you save the
database and open it, as it generates a new nonce each time. It's still
vulnerable to a playback attack if someone recorded the interaction and had
that exact copy of the database but that's also still true of one protected
without it. But with that, they have to get both of them at the same time, an
old copy of the database can't be attacked by a different challenge/response
than the one it was secured with. I used to use the keys in HOTP mode for this
with KeePassX before KeePassXC supported this mode, but that made for an
easier to attack setup since there needed to be a copy of things to predict
what the OTPs being generated would be. This also made syncing a lot harder
because there was an additional state file that was re-generated every time
the database was unlocked.

~~~
simcop2387
Forgot to mention, the syncing is all done via Nextcloud (open source dropbox
like system, but also does a lot more).

------
wging
Seems likely that the link will be replaced by a link to Tavis's write-up
[https://bugs.chromium.org/p/project-
zero/issues/detail?id=19...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1930), but media coverage is interesting on its own, so
I'll note the link is currently [https://www.zdnet.com/article/lastpass-bug-
leaks-credentials...](https://www.zdnet.com/article/lastpass-bug-leaks-
credentials-from-previous-site/) / title "LastPass bug leaks credentials from
previous site". I won't quote specific passages, it's just interesting to
watch attempts to distill a technical issue into something for the general
public's consumption.

------
kretor
Password manager recommendations from Tavis Ormandy, who found the bug:

"KeePass and KeePassX are both good choices. If you really must use an online
one, at least LastPass are responsive to researchers and have a competent
security team, I would use them."

He adds about Lastpass:

"I consider them competent, I've reported some pretty complex issues and found
they handle them well. Attack surface is definitely massive, I always
recommend KeePass or just use a book if that's too complicated"

(source:
[https://twitter.com/taviso/status/1167311357957435392](https://twitter.com/taviso/status/1167311357957435392))

------
zeven7
I've been just using Chrome's built-in password storage feature, though I see
a lot of people are still using extensions. Any reason to prefer an extension
or third party over just using the built-in Chrome feature?

~~~
symlinkk
The cool thing about 1Password and similar is that not only do they work in
other browsers (Firefox), they also work outside of the browsers (e.g. in iOS
I can autofill login boxes with credentials pulled from 1Password)

~~~
arawde
This feature exists on Android. I can sign in to my chess app with login
credentials stored by Chrome (as an example)

------
vz8
For anyone who needs to confirm they have updated Lastpass, this link[0]
documents reinstallation / updates.

[0] [https://support.logmeininc.com/lastpass/help/how-do-i-
enable...](https://support.logmeininc.com/lastpass/help/how-do-i-enable-the-
lastpass-web-browser-extension-lp070006)

------
nickthemagicman
Confused as to why tech people in this thread are giving LastPass flak for a
single bug. They've had a pretty good track record for the past half decade or
so since I've been using them and they submitted a fix immediately for this
bug. Bugs happen, and this is a particularly obscure/esoteric bug. Right?

~~~
travisp
I disagree that they've had a good track record.

[https://www.martinvigo.com/even-the-lastpass-will-be-
stolen-...](https://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-
with-it/)

[https://twitter.com/tqbf/status/836619941805764609](https://twitter.com/tqbf/status/836619941805764609)

[https://twitter.com/taviso/status/843965519371812864](https://twitter.com/taviso/status/843965519371812864)

I've seen very few security researchers recommend it, while they will
recommend other services.

~~~
Barrin92
what is the generally recommended service?

------
wj
I hope this fixes the issue I have with one of my banking sites where it
propoluates the login with my old username and password which aren't stored in
LastPass anymore. Really weird that it seems to have them cached somewhere so
I have manually select the bank's credentials in order to log in.

------
michannne
I remember my account was locked out completely even though I never did
anything. Tried all passwords I knew, but of course you only get limited
attempts (Why? If I'm using a brute-forceable password I'm already screwed,
I'd rather have unlimited attempts to guess my complex password). I went
through all the hoops to get a One-Time Password or whatever it was, tried it
on all machines I own, no luck. That's when I decided it wasn't worth it to
entrust all of my passwords to an opaque entity like that, it's not ideal, but
it's better than losing access to everything I use.

------
_iyig
I looked into LastPass and similar options a couple years ago, and ultimately
decided on the Chrome password manager (with option for the never-transmitted
encryption passphrase). Among other reasons, the Google Security Team seemed
bigger and better funded, and I already trust them with my e-mail anyway. I
supplement this with a text file that I encrypt/decrypt with the OpenSSL
command-line utility, since the latter is available on Linux, Mac, and Windows
via Cygwin. So far it’s been a pleasant experience.

------
mdesq
I've love to switch away from LastPass. I switched to LastPass Families when
it came out due to their "digital contingency plan" so family members (or the
trusted family attorney) can get access to passwords rather conveniently if I
or another family member passes away. At the time, I didn't see that other
offerings made this as easy. Any other good options out there for this use
case?

~~~
dkoston
1Password has a Families plan for this.

~~~
mdesq
I will look into this. I do trust certain family members with access to my
vault password, but the notification of access and ability to give access to a
trusted third party (my lawyer) that is available with LP is very compelling.

~~~
dkoston
1Password allows you to add family members with access to specific values
either read-only or read/write. The system for adding access is multi-step so
unless you add someone to a vault they shouldn’t see, you have the flexibility
to share as little or as much as you want. Since you can name the vaults you
can name them things like “Shared with M Toussant (Attorney)” or “Samir Martha
and Paul” which can make it easy to determine where to store what secrets.
Have been using Business for a few years with some of my companies and Family
with my family and have had good experiences. You can initiate recoveries as
the administrator as well which has been helpful in both cases.

------
kmfrk
1Password is very straightforward after they added cloud vaults. Before that,
it was kind of a mess, but it works quite decently now.

~~~
alanh
As far as I know, 1Password has never suffered any hacks or critical
vulnerabilities the way that LassPass has. I have used both in the past; I
would never, ever recommend LastPass to anyone. 1Password, however? A nearly
perfect product (with great support)

~~~
kmfrk
LastPass support is positively abysmal by comparison, good lord does
everything suck about that experience.

------
vortico
Haha, lives up to its name. It exposes the _last_ pass used before the current
website.

------
techntoke
This is why I use pass and browserpass. I can't vouch for browserpass
extension, but pass is just a wrapper for GnuPG. The encrypted files can be
synced using almost any sync solution or even Git. There are apps for mobile
too.

~~~
Semaphor
That makes no sense as the point of attack here is exactly the extension. So
wrt this type of bug you gain nothing.

~~~
techntoke
You have the option of not using the extension with this method, and the same
vulnerability likely doesn't exist with Browserpass due to the communication
method.

~~~
Semaphor
But you have the same option with lastpass.

------
majinuub
Switched from LastPass to KeePass a couple months ago. Glad that I made the
move.

------
paulnpace
When an article states "...the bug relies on executing malicious
JavaScript...", why is the bug considered to be in the plugin and not
JavaScript?

~~~
kaikai
Using a programming language to exploit something doesn't mean the programming
language is flawed.

~~~
paulnpace
So, are they using the phrase "malicious JavaScript" correctly? Shouldn't they
remove "malicious"?

~~~
woodrowbarlow
"malicious code" is code that was written with the express purpose of
exploiting a weakness or flaw. they're not saying javascript is malicious.
they're saying someone could write malicious javascript code (and then trick a
user into executing it) that exploits a flaw in lastpass.

------
nogridbag
I've been using LastPass for a long time, but I don't understand why they
don't support FIDO2 as a MFA option.

------
some1else
Password managers are great, just don't use the browser extension. Don't even
use the Grammarly extension.

~~~
highhedgehog
Care to elaborate?

~~~
some1else
Generally, I don't enjoy sending every keypress to a spellcheck API. Every
extension increases the attack surface area. The browser should remain secure,
use the native apps.

------
JOnAgain
I don’t use the browser extensions. I deal with copy paste BS every day, but i
rest easier.

------
hnarn
This is a good time to remind everyone that if you don't have 2-part
authentication to a service, that's because you don't care about other people
accessing it.

