
Tavis Ormandy finds another major hole in Lastpass - robk
https://twitter.com/taviso/status/845717082717114368
======
timmytokyo
Ok this is the last straw for me. I'm finally done with Lastpass.

Can anyone who uses Keepass with desktop and iPhone please explain their
setup? I'm finally going to make the switch, but I'm not sure what the best
options are for smart phone use.

~~~
grawlinson
I self-host an instance of Nextcloud and sync my KeePass DB between devices
with their desktop/mobile syncing applications. You could do the same with
Dropbox/Google Drive/et al.

It's pretty effortless.

~~~
timmytokyo
Assuming you have an iPhone, which iPhone app do you use?

~~~
grawlinson
Hey, sorry for the late reply. i do not have an iPhone, but a quick glance at
the iOS app store shows that Nextcloud have an official app there.

------
chainsaw10
I feel like just having a browser extension is a major security hole for any
password manager. Yes it's more usable and prevents domain spoofing, but it
makes the attack surface huge.

Whereas to exploit a desktop app that doesn't interface with the browser
(written in a decent way), you'd need code execution already.

Thoughts?

~~~
hdhzy
I think it depends on the extension. For example browserpass [0] can be only
invoked on button press in browser's Chrome (not via scripts on page) and
while it runs native app via Native Messaging it just uses JSONs to
communicate.

[0]:
[https://github.com/dannyvankooten/browserpass](https://github.com/dannyvankooten/browserpass)

------
robk
From down thread: "@moeadham It will take a long time to fix this properly,
it's a major architectural problem. They have 90 days, no need to scramble!"

------
xs
Does Tavis get any overtime for finding a bug on Saturday?

