Security Lastpass Security Vulnerabilities [March 2017]

eva2000 · Mar 22, 2017

Ouch Lastpass latest security vulnerabilities What should password managers not do? Leak your passwords? What a great idea, LastPass

March 22nd, 2017 Update

From Important Security Updates for Our Users | The LastPass Blog

Incident Report: March 22nd, 2017 (2:30pm)
We want to provide an update to our community on the vulnerabilities recently reported by Tavis Ormandy, a security researcher on Google’s Project Zero team.

This is a long post, so you can get the need-to-know highlights in the overview, or dig into the details in the comprehensive summary below.

Overview

Two vulnerabilities were recently identified by security researcher Tavis Ormandy

Our investigation to date has not indicated that any sensitive user data was lost or compromised

All extensions have been patched and are being re-released to users

Our mobile apps for Android and iOS were not affected

No master password change is required

No site credential passwords need to be changed

Ensure you are running the latest versions

Most users will update automatically but the latest versions can always be downloaded from lastpass.com/download

Please check the LastPass Icon > More options > About LastPass to check your version

Firefox: 4.1.36

Chrome: 4.1.43

Edge: 4.1.30 (pending approval by Microsoft)

Opera: 4.1.28 (pending approval by Opera)

What happened
Tavis Ormandy, a researcher at Google’s Project Zero, reported two vulnerabilities to our team over the past week that affected many LastPass browser extensions. The reported issues affected both personal and business users.

To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.
Click to expand...

Original News

Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases.

The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google's crack Project Zero security team. He found that the LastPass Chrome extension has an exploitable content script that evil webpages can attack to extract usernames and passwords.

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website is enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy can be tricked into granting access to the manager's internal mechanisms, which is rather bad news.

The script can also be abused to execute commands on the victim's computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage. A malicious website could exploit this hole to drop malware on a visiting machine. A victim must have the binary component of LastPass installed to be vulnerable to this attack.

"This script will proxy unauthenticated window messages to the extension. This is clearly a mistake," Ormandy explained in a bug report today.

"This allows complete access to internal privileged LastPass RPC [remote procedure call] commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."
Click to expand...

Other discussions / links

Critical security flaws found in LastPass on Chrome, Firefox

LastPass RCE vulnerability fixed | Hacker News

eva2000 · Mar 22, 2017

I started looking at 1password instead of lastpass but features in 1password seem lacking ? I accidentally imported lastpass csv data into 1password twice into same vault and found out there's no way to reset or delete on mass the entries in the vault other than contact 1password to totally reset my account and wipe all data. Still waiting on support to get back to me on that at 1password.

Also no way to delete duplicate entries that lastpass to 1password import created ?

So which password managers you you folks using or switching to from lastpass ?

Jimmy · Mar 23, 2017

I like Keepass.info. I upload the password file and key to a server and can use the software anywhere.

Open source, rock solid security, ton of features, I control the security... that's for me. Software has also been around for a long time. I would never trust my passwords to an online service.

RB1 · Mar 23, 2017

Yikes!!!

BamaStangGuy · Mar 23, 2017

I have been using 1Password for 2-3 years now. I love it personally. The new web interface is nice as well. Hopefully they release a Linux client one day.

Revenge · Mar 23, 2017

I use my brain.

eva2000 · Mar 23, 2017

Revenge said: ↑

I use my brain.
Click to expand...

haha that's some brain.. i have ~4,000 login entries to remember hehe

I also gave keepass a try and like it too seems easiest to get setup and so far no extra duplicate entries. Though there seems to be a tool natively built in to remove duplicates

but keepass core might be solid but seems like a lot of 3rd party plugins out there which may not be not be as secure ?

1password, still waiting on tech support to reset my account so can start over !

Revenge · Mar 23, 2017

eva2000 said: ↑

haha that's some brain.. i have ~4,000 login entries to remember hehe

I also gave keepass a try and like it too seems easiest to get setup and so far no extra duplicate entries. Though there seems to be a tool natively built in to remove duplicates

View attachment 3760

but keepass core might be solid but seems like a lot of 3rd party plugins out there which may not be not be as secure ?

1password, still waiting on tech support to reset my account so can start over !
Click to expand...

You can have a main base pass, and then you add something related to the domain you are trying to enter. Its impossible for you to forget and impossible for an hacker to discover.

Most sites now also have 2 step verification.

What is not secure is the risk you take everyday if someone hacks a service you use to save your passwords and all of a sudden someone have access to all your accounts.

pamamolf · Mar 23, 2017

I am thinking to post a topic about secure systems and services....

What do you think?

Jimmy · Mar 23, 2017

eva2000 said: ↑

I also gave keepass a try and like it too seems easiest to get setup and so far no extra duplicate entries. Though there seems to be a tool natively built in to remove duplicates

View attachment 3760

but keepass core might be solid but seems like a lot of 3rd party plugins out there which may not be not be as secure ?
Click to expand...

I don't use any 3rd party plugins with Keepass. Not sure what plugins are offered. I even had a server hacked way back in 2008 with the keepass file, never had an issue - though don't know if the hacker dloaded the password file or not.

Keepass has an Android app. KeePassDroid - Android Apps on Google Play

I can't trust an online service for my passwords, period... it's like asking for problems.

KeepassX on Linux is really nice.

Keepass did take some heat for a security issue. KeePass 2.34 plugs security issue - gHacks Tech News

pamamolf · Mar 23, 2017

Keepass for windows is the best but Windows is not the best OS for security.Actually is the worst!

KeepassX is a software that tries to mimic what keepass does on Windows but for Linux and is missing the latest features (last updated 5 months ago) and the implementation of original keepass may not be so good....

I am sure that on another post of me i was told users to avoid using Lastpass

https://community.centminmod.com/th...i-device-password-management.9420/#post-39687

eva2000 · Mar 23, 2017

Jimmy said: ↑

Keepass has an Android app. KeePassDroid - Android Apps on Google Play
Click to expand...

but that app is 3rd party not official by KeePass right according to Downloads - KeePass

totally forgot about needing equivalent Android app like Lastpass ! In that regard 1password might be better ? or do we put our logins' trust in 3rd party developed KeePass Android app ?

Jimmy · Mar 23, 2017

eva2000 said: ↑

but that app is 3rd party not official by KeePass right according to Downloads - KeePass

totally forgot about needing equivalent Android app like Lastpass !
Click to expand...

I doubt you're going to get an app from the keepass dev. It's open source, not a commercial product.

I don't personally use anything on my phone. But that app has 30K ratings and 4+ stars.

IMHO I'd put more faith in an open source project with a long track record vs. an online pw storage site. That's just me though.

eva2000 · Mar 23, 2017

Yeah decisions... decisions heh But ratings don't mean much coming from average joe users who aren't in the internet security industry heh.

Wonder if there's anything out there to allow 1password to KeePass continuous sync/import so new 1password entries sync to KeePass and vice versa ?

interesting read https://sourceforge.net/p/keepass/discussion/329220/thread/7823021f/

Jimmy · Mar 23, 2017

eva2000 said: ↑

But ratings don't mean much coming from average joe users who aren't in the internet security industry heh.
Click to expand...

Show me the link to lastpass and 1password source code. Everything with keepass is open. Don't rely on ratings, look at the source if the ratings are a sticking point.

Andriod apps:
Keepass2Android - Source Code
GitHub - bpellin/keepassdroid: KeePass implementation for android

Got an issue... look at the source, judge for yourself if it's secure.

eva2000 · Mar 23, 2017

Jimmy said: ↑

Everything with keepass is open. Don't rely on ratings, look at the source if the ratings are a sticking point.
Click to expand...

Good point.. looking at release dates and version numbers though at Keepass2Android - Download: 1.01-preview for Jan 2017 and Google Play Feb 2017 Keepass2Android Password Safe - Android Apps on Google Play - difference due to time it takes for Google Play to publish app ?

eva2000 · Mar 23, 2017

Interesting read Password managers may not be as secure as you think

Password managers are often pitched as a convenient way to secure online accounts. Their main appeal is that they can generate and store very complex, distinct passwords -- that would normally be virtually impossible for the average person to memorize (or for someone to crack) -- and the user only has to remember a master password -- that encrypts them -- to access those credentials.

But, for password managers to be truly effective, they have to be secure in the first place. And that may be a problem, according to a new report by TeamSIK, which found serious vulnerabilities in many of the popular options available on Android, including LastPass, Dashlane, and 1Password.
Click to expand...

"In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count. The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users' confidence and expose them to high risks," the security researchers write in the report.

TeamSIK found at least one vulnerability in each of the tested password managers, with Informaticore and Hide Pictures Keep Safe Vault scoring best in this regard. Avast Passwords had six vulnerabilities, followed by 1Password with five, Dashlane with four, LastPass and MyPasswords with three each, and Keeper with two.
Click to expand...

Jimmy · Mar 23, 2017

eva2000 said: ↑

Good point.. looking at release dates and version numbers though at Keepass2Android - Download: 1.01-preview for Jan 2017 and Google Play Feb 2017 Keepass2Android Password Safe - Android Apps on Google Play - difference due to time it takes for Google Play to publish app ?
Click to expand...

Might be. I don't use them myself... nothing goes on my phone which is sensitive.

eva2000 · Mar 23, 2017

Jimmy said: ↑

Might be. I don't use them myself... nothing goes on my phone which is sensitive.
Click to expand...

what about various forum logins from mobile etc?

More at Security issues found in nine password managers for Android (LastPass, Dashlane..) - gHacks Tech News

Security researchers of the Fraunhofer Institute found severe security issues in nine password managers for Android that they analyzed as part of their research.

Password managers are a popular option when it comes to storing authentication information. All promise secure storage either locally or remotely, and some may add other features to the mix such as password generation, automatic sign ins, or the saving of important data such as Credit Card numbers or Pins.

A recent study by the Fraunhofer Institute looked at nine password managers for Google's Android operating system from a security point of view. The researchers analyzed the following password managers: LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore's Password Manager, F-Secure KEY, Keepsafe, Keeper, and Avast Passwords.

Some of the apps have more than 50 million installations, and all at least 100,000 installations.
Click to expand...

You can check out the full list of apps analyzed and the vulnerabilities on the Fraunhofer Institute website.

Note: All disclosed vulnerabilities have been fixed by the companies who develop the applications. Some fixes are still in development. It is recommended that you update the applications as soon as possible if you run them on your mobile devices.
Click to expand...

Lastpass related !

LastPass Password Manager (App-Link)

SIK-2016-022: Hardcoded Master Key in LastPass Password Manager

SIK-2016-023: Privacy, Data leakage in LastPass Browser Search

SIK-2016-024: Read Private Date (Stored Masterpassword) from LastPass Password Manager

Click to expand...

1password related

1Password – Password Manager (App-Link)

SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser

SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser

SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database

SIK-2016-041: Read Private Data From App Folder in 1Password Manager

SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager

Click to expand...

Discussion at https://news.ycombinator.com/item?id=13753864

Jimmy · Mar 23, 2017

eva2000 said: ↑

what about various forum logins from mobile etc?
Click to expand...

I don't use my phone to login to forums / sites.

If I'm going somewhere and I need to access a site I manage I have my laptop with a VPN.

I'm not attached to my mobile device. I use it for phone calls and messaging.

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

Security Lastpass Security Vulnerabilities [March 2017]

eva2000 Administrator Staff Member

March 22nd, 2017 Update

Original News

eva2000 Administrator Staff Member

Jimmy Well-Known Member

RB1 Active Member

BamaStangGuy Active Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

pamamolf Premium Member Premium Member

Jimmy Well-Known Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

Security Lastpass Security Vulnerabilities [March 2017]

eva2000 Administrator Staff Member

March 22nd, 2017 Update

Original News

eva2000 Administrator Staff Member

Jimmy Well-Known Member

RB1 Active Member

BamaStangGuy Active Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

pamamolf Premium Member Premium Member

Jimmy Well-Known Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

.