Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Chrome Communications Firefox Java Privacy Security The Internet

LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com) 126

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.
This discussion has been archived. No new comments can be posted.

LastPass Bugs Allow Malicious Websites To Steal Passwords

Comments Filter:
  • ......your local 3-letter government agency.
    • by Anonymous Coward

      Tell us how you really feel. Most decent operating systems have a password manager built in. Why not just use the one that is included in your system, which is encrypted with your login password and doesn't post itself to the internet? I mean if your system is compromised your passwords are compromised either way right?

      • Platform interoperability. That's why.
  • KeePass FTW! (Score:5, Informative)

    by OutOnARock ( 935713 ) on Wednesday March 22, 2017 @07:48PM (#54092591)
    also, first post!
    • Comment removed based on user account deletion
    • by Anonymous Coward

      ++

      A password manager running in a browser process is a terrible idea.

    • Re:KeePass FTW! (Score:5, Informative)

      by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Wednesday March 22, 2017 @08:33PM (#54092825) Homepage

      I'll second KeePass. Not just because it's what I use, but because it takes serious measures to protect your data [keepass.info]. Anyone can make a functioning password safe, but the way KeePass does it shows it was designed with an eye toward security. As a dev, I can appreciate it.

      A browser extension? Really? Your OS has a massive, old, reliable security feature in that one process can not easily access the memory of another process, and you choose to not use that and instead build support directly into the largest attack vector on your PC, the browser?

  • by 0x537461746943 ( 781157 ) on Wednesday March 22, 2017 @07:54PM (#54092627)
    I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.
    • This! (Score:5, Insightful)

      by s.petry ( 762400 ) on Wednesday March 22, 2017 @09:49PM (#54093167)

      I know of companies (perhaps even my current) which recommends people use LastPass over KeePass/KeePassX. The fact that they recommend a person use a password generator is good, but anything in the Cloud means that you _DO_NOT_ have physical control of the system storing passwords. The First rule of security is that you must have physical control of everything. All other Security rules come after that one.

      The Company problem is a symptom of promoting "marketing geniuses" and "number crunchers" to be in charge of Security, instead of promoting Security geniuses to be in charge of Security. As a security expert I have some great horror stories about bad decisions, and can tell you that stock options are constantly ready to be sold.

      • by TheCarp ( 96830 )

        In a twisted way it makes sense. File loss is more common a problem than actual compromise. This absolves them of needing to offer a solution.

        Personally I ditched even keepass for password store because it solves this by supporting git for sync.

        Its cross platform, uses gnupg in the back end, meaning no custom encryption code and a well known, trusted code base. Plus, because it is gpg based, all but a couple of special snowflake implementations natively get the benefit of hardware keys that gpg supports.

        Sin

        • by s.petry ( 762400 )
          if you don't control the Git server you suffer from the same problem. Once someone obtains your files, the cracking can begin. I'm not saying that cracking would be easybut the amount of resources available to hackers is insane. There are millions of compromised hosts being used constantly for these purposes, as well as sending spam, serving malware, etc... The old days of simply being concerned with State Actors is no longer valid.
          • by TheCarp ( 96830 )

            1. Yes but, you can have many git servers. Each repo is a full copy so central repos are basically throwaway. Lose one, make a new one, push to it.

            2. The amount of available resources is amazing but, still, nobody cracks gpg encrypted files, nobody is dumb enough to try. Keeping up with the tool chain and updating keys every few years as the recomendations and capabilities change should do you fine.

            generally the weak point anyone would assault a gpg based setup is either key storage or end point usage.

            Nothi

            • by s.petry ( 762400 )
              What a great idea! Distribute secure information to as many locations as possible! Pure Genius!
        • by s.petry ( 762400 )
          I should also have provided my solution. I have Mac, Linux and Windows versions of Keepass and KeepassX on a thumb drive. I clone the drive and maintain a backup in a safe. My thumb drive contains the keepass DBs as well as the binaries. It's portable and self contained so I don't worry about someone snagging my data. The master password is a beyatch for my master DB containing other passwords. Other keepass DBs which actually contain connection data have a 32 character random "strong" password stored
          • by TheCarp ( 96830 )

            Not going to lie, I miss keepass and its autotype function. I tried to mock something up with xdotool but never really worked right.

            That is mostly what I did, though instead of a thumb drive I just used git to keep some copies around...though, on windows I just used scp because I had trouble with git-annex. I never trusted thumb drives that much. I have lost data from them and if a backup procedure is too manual, I know I wont follow it.

            Then I bought a yubikey, and the more I looked at it, the more attracti

      • Re:This! (Score:5, Interesting)

        by mattwarden ( 699984 ) on Wednesday March 22, 2017 @11:21PM (#54093473)

        I hear you. It's a tough subject. I am pretty paranoid (in the general spectrum, not the slashdot spectrum), and I used KeePass and resisted LastPass for a long time. And I kept my KeePass vault in a TrueCrypt volume. It was a pain in the rear, and useless on my mobile device, and I slowly slid back to password strategies I could remember, which were unique to each site but if one site was compromised an attacker could figure out the pattern.

        I did move to LastPass after reviewing managers and reading about how LastPass decrypts your vault locally, and deciding I believe them well enough. Of course that doesn't matter too much, because if they ever wanted my passphrase they could get it and store it when I log in. But again, my point is that there is a balance, and my own behavior when convenience was low was to slide into poor practices. With LastPass, I have a single point of failure, but I'm comfortable with it and outside of that my password practices are much much better.

        • I use KeePass on my Android phone. There are mobile versions of that tool if you want to use them.
        • One thing LastPass will do for you that the copy/paste solutions won't is that LastPass will not autofill your wellsfargo.com credentials into a login page at wallsfergo.com. (Substitute less obvious domain-squatting combination.) For the even slightly security-aware, the "no domains match" is a speedbump between you and total pwnage.
      • by AmiMoJo ( 196126 )

        Lots of commentators on Slashdot have recommended LastPass over Keepass too, despite repeating warnings that having your password manager running in the browser process is a really, really stupid idea. Seems like even people who should know better are for some reason keen to trust LastPass.

        This is now the 4th major severe security incident to affect LastPass. Do they have an affiliate scheme or something?

        • by Anonymous Coward

          then use their binary version and don't install the extension.

          at least understand the product before criticizing it

    • by Bongo ( 13261 )

      I am surprised that anyone serious about security would ever install a web browser password plugin for their password management software. It seems logical that it is just a bug away from password compromise.

      Oh I agree. I think people have been recommending password managers despite the, "all your eggs in one internet connected basket" thing.

      Unfortunately there aren't many options. All I can think of is an air-gapped encrypted tablet whose sole purpose is to keep passwords. And then physically typing them.

      Which makes the bunch of random words the much more attractive way; easy to read and type.

  • by Anonymous Coward

    Don't use an online password manager. Copy and paste your password when needed, then clear the clipboard. It's not perfect, but I'll take mSecure over some of these other password managers any day. And I don't back up my passwords in the cloud. They're encrypted on an SD card.

    • Re:Simple solution (Score:5, Insightful)

      by Anonymous Coward on Wednesday March 22, 2017 @08:37PM (#54092837)

      Copy and paste works fine, but beware of the risk of other scripts within the login webpage and other open browser tabs accessing the clipboard.

      To digress a bit, but related to this topic. Slashdot has jumped the shark with ads in recent months. Makes one wonder how secure Slashdot is serving up hundreds (really! 392 at the moment, but seen it upwards of 500 already) of cookies and numerous trackers. Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, it's within the realm of possibility of rogue scripts being served with Slashdot to scarf up clipboard data, passwords, etc in hopes of hacking well known websites that Slashdot users do work for.

      Bottom line, be wary of having Slashdot open in a separate tab while doing anything sensitive. Likewise for many other sites that serve up obnoxious ads. Use of an blocker can help, but isn't fully comprehensive security in and of itself...

      Ironically, in light of the above issues, use of a password manager, whether cloud based or not, is likely safer than copy and pasting from a local text file.

      • by ShaunC ( 203807 )

        Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, it's within the realm of possibility of rogue scripts being served with Slashdot to scarf up clipboard data, passwords, etc in hopes of hacking well known websites that Slashdot users do work for.

        No doubt [slashdot.org]. If the "good guys" target Slashdot users, you can bet the black hats do, as well.

    • And I don't back up my passwords in the cloud. They're encrypted on an SD card.

      How do you enter passwords on your cell phone?

  • So, I with being online over 20 years. I still use variations of passwords from when i was a kid in the 90's. Use a few passwords and variations of those. add caps and exchange letters for numbers aka "l33t" never once has one of my accounts been compromised. Although im security conscious and often think how i would hack myself to keep myself safe. I dont understand how so many people fall victim. I feel its pure laziness.

    • Re:It's sooo easy! (Score:4, Insightful)

      by Daemonik ( 171801 ) on Wednesday March 22, 2017 @08:19PM (#54092761) Homepage

      Nobody has to hack YOU, they hack the website you log into and download all their passwords then just keep trying those password/username combinations on other websites until they crack another one over and over again. You individually aren't worth much other than a shim to try to break into the next web server. Your accounts could be shared all over Russian hacking circles and you'd never know until the website you use reports a break in that might include your login.

      Smug people are just victims who don't know it yet.

      • As i said, Variations. I know a few of the black hatters. and that's now how they work. now if there was a large dump they would run the credentials at a few sites(would effect me none) that they want to gain access to. and it is completely about personal info. in case you didn't know and want to do some research sometime before you talk to somebody that used to be involved. the personal information is the part that's worth money. the trying user/pass to other sites is to get MORE personal info. like credit

    • by Desler ( 1608317 )

      Using 1337speak does very little in making your password safer.

      • depending on the words you use it will fool almost all password list files, and bruteforce becomes a lot harder with multiple numbers letters lengths capitols and special characters.

    • I too have a password I've used over ten years.

      I only use this for low security accounts that don't have any financial implications associated to them. But yes, that password got hacked.

      I know this because I typed it into a 'has your password been hacked' site and it said yep, and told me what had happened. These sites exist because lists of passwords that have been hacked exist.

      IRC I think it got cracked on yahoo or something; it wasn't like anything I'd done wrong.

      • I know this because I typed it into a 'has your password been hacked' site and it said yep

        Thanks for the great laugh before bed. thanks for adding your password to a password file that a few, probably not many have. but those people are not fools. Please do not do that ever again. lol

        • You know what? You're not nearly as smart as you think you are. I first typed in random 'passwords' that weren't my LOW security password, and it said that those hadn't been hacked. And I didn't type in any of my high security passwords, and those are different on each site anyway, so there wouldn't be any point.

          "Use a few passwords and variations of those. add caps and exchange letters for numbers aka "l33t"

          Hahaha. Don't do that, moron.

          • Well than your "low security" passwords were probably commonly used. i know mine arent and i dont worry. im trying to give people advice from an ex black hat. I try to help now, but MOST of those "is your pasword hacked" lists are nothing but a honeypot for more passwords. the only trust worthy ones are the ones that you enter the username and if its in a dump it will show you your password. and theres not many of those. take it how you will. but putting a password into the wild to "see if it was stolen" is

            • Didn't matter a lot. Maybe it was a honeypot, maybe it checked a whole bunch of sites in a man in the middle attack- but I DIDN'T type in my username, so they would have had to check all the lists of millions of entries and do it very quickly, so I don't think so. And it listed out which breach it was, and it matched up. And I think it used a rainbow table for checking it, so they (allegedly) weren't sending my password in the clear.

              It makes little difference, I didn't give a shit about any of the accounts,

              • as i said if it was a honeypot, your password went into a password list. and there are some very sophisticated honeypots out there. i have a friend setting one up for whitehat purposes and you cant tell it from a real machine. it even lets you ddos from it. the fact of the matter is that password managers aren't a good idea. local encrypted ones are better, but the best is using strong memorable passwords. its harder for some people than others. i dont have an issue with it. im just trying to help people

                • Memorable passwords are usually not secure, particularly if you reuse those passwords in any way, and swapping characters, and replacing letters with numbers are really stupid things to do, since they are trivially easy to brute force. Then if you lose any account, they're likely all blown.

      • I can see if your bank account has been hacked for you. Just send me the account number, routing number, and your name, address and SSN and I'll let you know in my own special way ASAP!
  • Has simply never been hacked.

  • Never use autofill (Score:5, Interesting)

    by vanyel ( 28049 ) on Wednesday March 22, 2017 @08:20PM (#54092771) Journal

    This is the sort of thing why I've never let any sort of browser thing do autofill. I have a password manager on my phone and when I need to, I look it up and *type* it in. A minor nuisance, but for frequently used passwords, I then don't need it as I actually remember them. The others are by definition infrequently used.

    Though I have to admit, it's the most used feature of my phone. It also means I don't have to worry about synchronizing across many different browsers and computers, or the lack of security having all that in multiple places.

  • by Gojira Shipi-Taro ( 465802 ) on Wednesday March 22, 2017 @08:38PM (#54092843) Homepage

    Bugs have already been patched. Stop with the FUD please. Yea it's bad they existed, but they're gone.

    • by AmiMoJo ( 196126 )

      We don't know how long they were exploited for, or by how many people. This is why having your password manager running in a separate process with only a manual copy/paste bridge between them is a really good idea.

    • If one existed, then two exist. There's a high probability of that heuristic being true.
  • Looks like they already patched it.
  • It's a question of how fast you can build a wall before someone tears a hole though it. Security is only temporary.
  • To you, the douchebag that said use password manager or your will be hacked. I have been using the same formula for generating passwords for almost 2 decades and I have not had any issues. Enjoy your increased threat level by using additional software to store your password. You almost convinced me.
  • FYI, on Twitter, someone asked Ormandy what was the best password manager. His reply was "KeePass or KeePassX are both perfectly reasonable choices." Source: https://twitter.com/taviso/sta... [twitter.com]
  • Okay, I'll admit it, I'm the maker of a lesser known password manager that has been around for ages. The weakest part is the operating system's handling of the clipboard - there is no OS-level support for clipboard wiping and no guarantee that sensitive data isn't written to disk. Moreover, there is generally not enough protection against keystroke loggers, who are the #1 method for obtaining the master passphrase.Apart from these obvious vulnerabilities against which I cannot do anything, my application wo

  • Why would anyone with even pretensions of being a geek link their password manager to a browser, beyond the two applications sharing the same OS install? I've been using a password manager for years, and it would NEVER have occurred to me to make it easy for my browser to access it directly. I don't consider myself terribly security conscious; but dangling a LOT of low-hanging fruit in front of would-be attackers was just never even on my radar. Goes without saying that the first thing I did when browsers i

  • To me, the scariest part of the numerous vulnerabilities report is not the bugs themselves, but rather the response that LastPass had to project-zero #1209. See Comment #4 at https://bugs.chromium.org/p/pr... [chromium.org] : "[LastPass] also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac." If this is the level of scrutiny that LastPass is putting into its security incidents, I'm losing confidence in their ability to sa

No spitting on the Bus! Thank you, The Mgt.

Working...