LastPass Bug Leaks Credentials From Previous Site

Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site. From a report: The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team. LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12. If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they're advised to perform a manual update as soon as possible. This is because yesterday, Ormandy published details about the security flaw he found. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug.

My password manager:

[olsmeister]

Paper list in my desk drawer.

Re:

[antdude]

Cool. Now, we know where to find your passwords. :P

Why are people that insane?

[BAReFO0t]

Uploding your entire password database to a third party ...

We REALLY need ubiquitous home servers. And the death of "the cloud" and everyone who ever helped that un-word spread.

Re:Why are people that insane?

[AikonMGB]

Right, so, based on my understanding, this flaw had absolutely nothing to do with the password database being stored in the cloud (which, for all providers worth their salt, is encrypted client-side); it had to do with the browser extension that provided access to the password database in order to use the passwords. A home server or offline file store as a password database would not have mitigated this security flaw.

Whether browser extensions for filling passwords is a good idea or not is an entirely different discussion, and comes down to convenience vs security, as well as user psychology (as in people won't use password managers at all if they are too much of a hassle, and as a result fall back on poor password practices so that they can actually remember them).

Re:

[Rick Shasta]

Keepass is free and has no webby thing?

Re:

[AikonMGB]

Not sure I follow -- there is a plugin [keepass.info] that allows KeePass to be used in e.g. Chrome, and there's no reason it couldn't exhibit similar or other security flaws. And if users choose not to use that or any other browser plugin, then it returns to the security vs convenience matter I brought up.

Re:

[TechyImmigrant]

Not sure I follow -- there is a plugin [keepass.info] that allows KeePass to be used in e.g. Chrome, and there's no reason it couldn't exhibit similar or other security flaws. And if users choose not to use that or any other browser plugin, then it returns to the security vs convenience matter I brought up.

I choose that way. I copy and paste from the keepass application.
I have a significant distrust of browser plugins handling my secrets. They do not have a good track record.

Re:

[AikonMGB]

Entirely reasonable choice, particularly given the topic at hand.

Re:

[Anonymous Coward]

Posting AC to preserver moderation.

CTRL+ALT+A in KeePass is your friend. Learn to use it.
Alternatively, right click an entry, autotype, choose a sequence.

Re:

[Ksevio]

Certainly possible in LastPass as well of course

Re:

[AmiMoJo]

The problem with LastPass is that there is no offline client. It's all online, you have to use their browser extension or their web site. It's all written in Javascript.

Re:Why are people that insane?

[vux984]

Uploding your entire password database to a third pary ..."

Is neither the cause of this issue, nor a solution to prevent it. If you ran a password app that stored your passwords locally or on a home server it could have had the same flaw.

This is the risk you take not for using a cloud solution, but for using any solution that can auto-fill your saved passwords.

You can debate the merits of storing your password database on the cloud, but that's a completely separate issue. And for what its worth, when i used "Password Safe" I kept the safe file synced to the cloud too.

We REALLY need ubiquitous home servers.

Says every hacker on the planet. Because THOSE will be behind on updates, poorly secured, poorly managed, unmonitored, and just waiting to be assembled into the botnet.

If/When joe sixpack has a home server it'll be because it's plug and play and will be about as secure as the rest of the "IoT trash"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[swillden]

I do not trust the cloud. I trust myself even less.

I may just steal that for my sig.

The common /. notion that "My server is more secure than cloud servers" is an example of the Dunning-Kruger effect. Granted that there are some additional reasons for distrusting the cloud, but they're dominated by the reasons for distrusting oneself.

Re:

[LeeLynx]

Security by obfuscation is very much still a thing. One's standalone server is not one of many in a huge mass, arranged into a giant bullseye.

Re:

[mark-t]

In principle, there's nothing wrong with it, as long as your password database is encrypted in such a way that only you can decrypt it with information that only *you personally* happen to know. To anyone else, it would be nothing but a random binary stream.

Re:

[AmiMoJo]

Does LastPass support keyfiles and 2 factor auth? It would be unwise to have the encryption key purely derived from a password.

Re:

[denbesten]

To anyone else, it would be nothing but a random binary stream.

Such as “ji32k7au4a83” [gizmodo.com]?

Re:

[tomhath]

We REALLY need ubiquitous home servers.

And keep your home server locked in a bathroom closet. It worked so well for Hillary.

Re:

[TechyImmigrant]

>Uploding your entire password database to a third party ...

Is what makes sense. Encrypt it. Upload it to an online file store. Sync that file store with multiple devices. Now you have many physical copies, both local and remote.

Re:

[gitano_dbs]

>Uploding your entire password database to a third party ...

Is what makes sense. Encrypt it. Upload it to an online file store. Sync that file store with multiple devices. Now you have many physical copies, both local and remote.

I do that but using Keepass https://keepass.info/features.... [keepass.info] , on this password manager you take care of the encrypted file database.

Re:

[TechyImmigrant]

I'm using keepass.
Any competent password keeper should do, but there's evidence that Keepass is written by competent people.

Re:

[ctilsie242]

We already have two places offering very good home server offerings -- Synology and QNAP. They can do a lot of cloud functionality, even allowing you to use KeePass.

Wish more people used them, as they work quite well.

Re:

[vux984]

Both Synology and QNAP are pretty easy to backup TO, but they seem to be painful make solid backups *of*. You can always hack something together, but its usually unsupported by anyone but you; and backup monitoring and backup status etc is not well handled. The built in backup software is pretty limited in my experience.

Also, both represent a series of single points of failure in the average home network.

The device might keel over.
The router might keel over.
The "modem" might keel over.
Your internet service

Password Manager = Single Point of Failure

[Comboman]

Where are all the self-proclaimed security experts whose number one advice is always "use a password manager"? As long as you don't reuse passwords, the worst that can happen without a password manager is a single site/service can be compromised. With a password manager, you're putting all your eggs in one basket.

Re:Password Manager = Single Point of Failure

[Nidi62]

I pick really strong passwords and store them where I could never lose them: I just get them tattooed on my body. It's worked so far, but with my work forcing me to change my password every 3 months it's been a real pain in the neck.....and the arm....then the other arm.....

Re:

[GoTeam]

The correct answer is security by obscurity. Create a folder on your root drive named "GenericItems". In that folder create a text file named "FavoriteEpisodes.txt". In that txt file, type all the websites, usernames, and passwords you want to remember. Unbreakable security is now yours!

Re:

[Larry Lightbulb]

Just create notpasswords.txt, that'll fool everyone.

Re:

[Nidi62]

Or just put it in a folder labeled "Garbage", right next to your copy of the da Vinci virus.

Re:

[WallyL]

I just listened to a man describe how he beat the government of China when bringing his laptop in that country. He put his contraban (Evangelical Christian training materials) in his Windows folder, because nobody would ever look there! And then he wanted to look up a Bible verse online, and come to find out the site wasn't blocked-- no vpn needed! So he browsed from his computer sitting in one of those "underground" (i.e., clandestine) locations reading materials officially not approved by the government t

Re:

[skids]

You may be sarcastic but you're not far off:

Create a file listing the sites and usernames where you have accounts, one per line
Memorize one password.
Memorize a systematic way to paste the contents of that line into the following command (windows users will have to use a more complicated cli):

cat - | sha256sum

Paste the content in, type in the one password after that (or before it, or somwhere in the middle, as long as it's systematic) hit enter, hit control-D. Out pops a number ....unique to each website...

Re:

[Culture20]

Sadly, there are a lot of sites where sha256sum is too long, but they'll happily accept the whole string when creating the password, truncate it in their store, then fail when you try to log in with the whole sha256sum.

Re:

[mark-t]

By far, the biggest problem with not reusing passwords without a password manager is that people forget their own passwords, or forget which password they used with which service.

Re:

[mark-t]

And if any one of those gets compromised, it's pretty trivial to deduce any others... only marginally better than using the same password everywhere.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[ctilsie242]

Don't forget 2FA. If someone gets my password out of the PW manager, they still have to figure out either the six digit code, or how to spoof the FIDO key.

MFA is a nice thing -- I don't have to guard my password with my life anymore.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ScooterBill]

What's really needed is for companies to quit collecting all our data and then "accidentally" divulging it to the world.

Re:

[kingbilly]

I like the last paragraph. Especially the first sentence.
Personally, I use a password manager but I do NOT keep my main email and main bank credentials in the manager. Email is the most important, since all password resets go there. I'm fine with memorizing a good password just for email.

Re:

[radarskiy]

"On the one side you have absolute security. On the other side you have absolute ease of use. "

TBF, you can have bad security that is also hard to use.

Re:

[GuB-42]

As long as you don't reuse passwords

That's exactly the reason why experts recommend password managers. Remembering dozens of secure passwords is too much to ask for most people. If you can do that, by all means do it, but if you have to chose between using a password manager and reusing password, of course you should use a password manager.

If you are don't trust your password manager completely, you don't have to use it for your most critical passwords.

Re:

[ctilsie242]

This is all about security tradeoffs.

I use BitWarden which doesn't paste info into fields until told to, which completely mitigates this vulnerability. Yes, it is less convenient than having your username/PW auto populated, but it stops these attacks cold. I also use a PW manager because I rather use a 32 character password on each site that is completely different, than to reuse a PW and have an attacker be able to use it on multiple sites.

The chance of someone getting my BitWarden account is far, far le

Re:

[AmiMoJo]

The problem is not password managers, it's LastPass. Decent password managers work offline and are free. You can copy/paste passwords in to the browser if you need to.

If you want cloud sync the KeePass supports it, including using your own server.

If your offline password manager is compromised then you are screwed anyway because the attacker controls your PC and has every keystroke and your browser and all the rest anyway.

Memorizing hundreds of different site specific passwords is not an option for most peo

Re:

[Ksevio]

The same exploit would be possible for an "offline" password manager if you used the plugin

LastPass has been in the news ...

[CaptainDork]

... before on / [slashdot.org].

LastPass, the popular password manager, has been hacked. The company says that the “vast majority” of users are safe, and has posted [slashdot.org] a notice which begins: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

Re:

[ctilsie242]

It was breached, but at least the attack was mitigated by the user's master passwords.

I do wonder if 1Password's method may be better, because for one to be able to decrypt from their servers, it requires the password, and a randomly generated encryption key which a user is supposed to put in a recovery kit and set aside. This in addition to 2FA which adds authentication protection (although it doesn't help with security of encrypted data if a bad guy filches that.) 1Password's method makes brute forcing

Project Zero

[quintus_horatius]

discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team.

Imagine if someone managed to break into Project Zero's system(s). Who knows how many embargoed zero-days would suddenly become available. Mass pandemonium as companies scrabble over fixes.

Almost makes a security researcher into a liability.

Re:

[ctilsie242]

This isn't something we really want to see. First thing that would happen is that the companies who usually have the most insecure stuff will run to the lawmakers and ask for DMCA-like laws against security breach divulging. The result of this is that yes, there wouldn't be any Project Zeros, except more companies finding their stuff breached and telling the press, "we did everything... the hackers were too good for us".

Of course, the C-levels would be making a ton of cash shorting their stocks before the

Seriously?

[techm]

Who in their right mind thinks it's a good idea to store their passwords in an online 3rd party database? Might as well just hand crooks the keys to your house and car and say "here hold these for me, I trust you because I'm too lazy not to"

Conveniences instead of security?

[QuietLagoon]

I type in the password for the sites I visit. Yes, it is not the most convenient thing, but at least I know some third-party is not leaking my passwords all over the place.

Re:

[samdu]

You mean third parties other than the third party sites you're typing your passwords into, right?

Chrome

[dicobalt]

The Chrome version hasnt been updated yet. It's the Sept 11 version 4.33.0

Who uses LastPass anyway?

[OneHundredAndTen]

Who loads a file with sensitive material (passwords, for goodness sake!) to the cloud, under the control of some third party, whose security processes and mechanisms you have no way to assess and vet? How irresponsible can you be?

CLOUD: Certainly Lose Our Unique Data.

Does the following mitigate lastpass attacks?

[risc8088]

lastpassplugin -> extension options -> site access (Allow this extension to read and change all your data on websites you visit) -> onclick

Re:

[account_deleted]

Comment removed based on user account deletion

4.11 android

[MiliusXP]

My android phone is having v 4.11.4556 released 9/9/19 at 06:09 and is up to date ... I guess Android current version is not 4.33+

Who would get the bug bounty?

[Paxtez]

Let's prevent LastPass has a bug bounty program (I don't know either way), also let's prevent he was working for Project Zero at the time it was discovered. Would Tavis get the bounty? Or would it go to Google? Or Google just say, "Nah, keep your money. Just fix it."?

Aptly named application!

[Chriscypher]

At least they named their application appropriately: "Last Pass". You need access to the last password they used? You've got it!

Mitigation?

[Big Nemo '60]

For several weeks, my "recently used" menu in Lastpass was empty.

It was annoying as Hell ((recently used sites are usually the ones used more frequently, so it is a convenient feature).

Many users (including me) posted complains in the forum. We were surprised - and rather upset - to get no feedback at all from Lastpass (at least the last time I checked the forums - after a while I gave up).

After the latest update of the software, the "recently used" menu works again.

Now I wonder if disabling the "recently u