LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com) 26
Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.
please use a password manager.... (Score:2)
Re: (Score:2)
The problem is the generated passwords. go read a few IPSec articles about passwords. Also changing passwords on sites is bad idea unless an absolute necessity. Also in said articles.
Re: (Score:2)
The problem is the generated passwords. go read a few IPSec articles about passwords. Also changing passwords on sites is bad idea unless an absolute necessity. Also in said articles.
Citation required for any absurdity claiming that changing passwords is a bad thing.
Re: please use a password manager.... (Score:1)
KeePass FTW! (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
I'll second KeePass. Not just because it's what I use, but because it takes serious measures to protect your data [keepass.info]. Anyone can make a functioning password safe, but the way KeePass does it shows it was designed with an eye toward security. As a dev, I can appreciate it.
A browser extension? Really? Your OS has a massive, old, reliable security feature in that one process can not easily access the memory of another process, and you choose to not use that and instead build support directly into the largest atta
Keep passwords away from web browser integration (Score:4, Interesting)
Re: (Score:1)
Copy and paste works fine, but beware of the risk of other scripts within the login webpage and other open browser tabs accessing the clipboard.
To digress a bit, but related to this topic. Slashdot has jumped the shark with ads in recent months. Makes one wonder how secure Slashdot is serving up hundreds (really! 392 at the moment, but seen it upwards of 500 already) of cookies and numerous trackers. Slashdot is often associated, whether rightly or wrongly, with being populated by many tech related users, i
Re: (Score:1)
How do you enter passwords on your cell phone?
It's sooo easy! (Score:1)
So, I with being online over 20 years. I still use variations of passwords from when i was a kid in the 90's. Use a few passwords and variations of those. add caps and exchange letters for numbers aka "l33t" never once has one of my accounts been compromised. Although im security conscious and often think how i would hack myself to keep myself safe. I dont understand how so many people fall victim. I feel its pure laziness.
Re: (Score:3)
Nobody has to hack YOU, they hack the website you log into and download all their passwords then just keep trying those password/username combinations on other websites until they crack another one over and over again. You individually aren't worth much other than a shim to try to break into the next web server. Your accounts could be shared all over Russian hacking circles and you'd never know until the website you use reports a break in that might include your login.
Smug people are just victims who don'
My Post-It Password Manager (Score:2)
Has simply never been hacked.
Re: (Score:2)
The exploits mentioned weren't closed based, but locally in the browser though?
Never use autofill (Score:2)
This is the sort of thing why I've never let any sort of browser thing do autofill. I have a password manager on my phone and when I need to, I look it up and *type* it in. A minor nuisance, but for frequently used passwords, I then don't need it as I actually remember them. The others are by definition infrequently used.
Though I have to admit, it's the most used feature of my phone. It also means I don't have to worry about synchronizing across many different browsers and computers, or the lack of secu
Allowed. Not allows (Score:2)
Bugs have already been patched. Stop with the FUD please. Yea it's bad they existed, but they're gone.