LastPass Working on Security Patch For Browser Extension Vulnerability

[MacRumors]

LastPass has advised all users of the password manager to launch sites directly from the LastPass vault and enable two-factor authentication wherever possible, until it addresses a vulnerability discovered in LastPass browser extensions.

The client-side vulnerability, discovered by Google security researcher Tavis Ormandy, allows for an attack that is "unique and highly sophisticated", said LastPass in a blog post, without disclosing further details.

Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy - Tavis Ormandy (@taviso) March 25, 2017

Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don't want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.

To secure sign-in credentials in the meantime, LastPass has recommended that users launch sites directly from the vault and make use of two-factor authentication on sites that offer it, while remaining vigilant to avoid phishing attempts.

The news follows the discovery and successful patching of earlier remote code execution (RCE) vulnerabilities that could be used to steal passwords from extensions for Firefox, Chrome, Opera, and Edge. Safari was not mentioned in the original vulnerability alert, while mobile apps were not affected, but concerned users can follow the advice regardless until LastPass offers further news on the situation.

Article Link: LastPass Working on Security Patch For Browser Extension Vulnerability

 

[djgamble]

Great idea, keep all your passwords in one location...

 

[keysofanxiety]

Great idea, keep all your passwords in one location...

It's a much better idea than using the same password for 50 different websites.

 

[Abazigal]

Great idea, keep all your passwords in one location...

The eternal struggle between security and convenience.

 

[maflynn]

This is why I don't trust anyone but myself to store the passwords.

 

[iapplelove]

I use a simple password app, that doesn't connect to the internet doesn't use the cloud etc.

It's simply just a place to store all my passwords in one place and I just look them up when I need them.

I will never ever use any kind of password service.

 

[zzLZHzz]

I use a simple password app, that doesn't connect to the internet doesn't use the cloud etc.

It's simply just a place to store all my passwords in one place and I just look them up when I need them.

I will never ever use any kind of password service.

what if you lose your phone (i assume the app is on your phone)? won't you lose those password?

 

[geenosr]

Last Pass is good enough for Steve Gibson (if you don't know who he is, look him up), and it's good enough for me. I've used it for many years and while nothing is ever foolproof, LP is about as good as it gets. They will have this fixed soon and I for one appreciate their transparency.

 

[maflynn]

Last Pass is good enough for Steve Gibson (if you don't know who he is, look him up), and it's good enough for me.

It may be good enough for him, but I'd rather not go with a product that has had numerous issues with vulnerabilities and hacking. Regardless of his security chops, I think storing your data with a company that has such a poor track record of securing your data is not the best move imo.

 

[iapplelove]

what if you lose your phone (i assume the app is on your phone)? won't you lose those password?

No, I have the app on my iPad and Mac as well. They don't link with each other I manually have put in my passwords.

And besides if I lose my phone I have a backup on my Mac and in iCloud.

It's like anything if you lose your phone.

 

[FatherJack1980]

No, I have the app on my iPad and Mac as well. They don't link with each other I manually have put in my passwords.

And besides if I lose my phone I have a backup on my Mac and in iCloud.

It's like anything if you lose your phone.

Hope no one manages to get inside your iCloud.

But I'll never understand why Apple (or even Microsoft) don't release a password manager software, that doesn't connect to the cloud. I would only trust Apple or Microsoft for my passwords - as long as it bleeding doesn't connect to the cloud, as Keychain stupidly does

 

[iapplelove]

Hope no one manages to get inside your iCloud.

Well I think you could say that about anyone with any cloud service right?

I don't use a password cloud managing service. Only time I use iCloud is for backups and have not in a while, I back up to my Mac locally.

I don't understand your comment really since most of everyone's passwords are stored in keychain. Saying sorry if someone breaks into my iCloud or sorry if someone steals my phone is irrelevant

 

[burgman]

No, I have the app on my iPad and Mac as well. They don't link with each other I manually have put in my passwords.

And besides if I lose my phone I have a backup on my Mac and in iCloud.

It's like anything if you lose your phone.

So your first post isn't true, you do use cloud services to store passwords.

 

[MrKahuna]

Last Pass is good enough for Steve Gibson (if you don't know who he is, look him up), and it's good enough for me.

l know who he is but I don't know what makes him qualified to make pronouncements on the security of LastPass.

 

[iapplelove]

So your first post isn't true, you do use cloud services to store passwords.

First I'm not looking for an argument don't know why people are hating on me. I do not use password services that use the cloud. This is what I was referring to.

I only use iCloud for backups if I am having issues with my Mac which is the main place where I backup my devices.

I don't understand the hostility here?

 

[adamjackson]

I've seen Gizmodo and others recommend LastPass repeatedly over the last 2 years yet I stopped using them 3-4 years ago when they were last hacked. You'd think they'd have learned from their past mistakes and I'm surprised people still use this service.

 

[DogHouseDub]

1Password is the only way I can make myself use complex passwords and frequently change them. It currently holds >1,000 passwords, most of which are 20+ characters of gibberish.

 

[BlandUsername]

You are forever alone, when you think about hacking in a shower.

 

[rhett7660]

You are forever alone, when you think about hacking in a shower.

Ha... how true is this. At least it was in the shower and not on the pot!

 

[djgamble]

Last Pass is good enough for Steve Gibson (if you don't know who he is, look him up), and it's good enough for me. I've used it for many years and while nothing is ever foolproof, LP is about as good as it gets. They will have this fixed soon and I for one appreciate their transparency.

No offence, but...
1. I can't know EVERY software engineer out there. I mean the fact you had to say 'look him up' means he's not THE authority.
2. Who cares about anecdotes? Base your decisions on fact, not anecdotes. Trust me, it's far more productive.