Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
veryDIMM

LastPass Cross Tab Credential Leak

Recommended Posts

Posted · Original PosterOP

Cross Tab Credential Leak found by Google Zero Day developers have found a problem with the LastPass automatic fill in for textboxes. When a user doesn't follow though with a login using the auto filled credentials they are cached and can be accessed from sites viewed afterwards (your mileage may vary, check out the following posts) . The following posts show the specifics to the problem. There has been an update pushed out already so make sure you update your devices or Chrome addons. 

 

https://bugs.chromium.org/p/project-zero/issues/detail?id=1930

https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/

Link to post
Share on other sites

This was patched WAY before anyone was even exploiting it. Assuming you're using a password manager, I would hope that you keep on top of updates too...


PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
2 hours ago, rcmaehl said:

This was patched WAY before anyone was even exploiting it

That we know of...


Laptop:

Spoiler

HP OMEN 15 - Intel Core i7 9750H, 16GB DDR4, 512GB NVMe SSD, Nvidia RTX 2060, 15.6" 1080p 144Hz IPS display

PC:

Spoiler

Vacancy - Looking for applicants, please send CV

Mac:

Spoiler

2009 Mac Pro 8 Core - 2 x Xeon E5520, 16GB DDR3 1333 ECC, 120GB SATA SSD, AMD Radeon 7850. Soon to be upgraded to 2 x 6 Core Xeons

Phones:

Spoiler

LG G6 - Platinum (The best colour of any phone, period)

 

Link to post
Share on other sites

To me the best way to remember passwords is just keeping them as hard copies inside a safe.


Specifications:

Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

CPU: Ryzen 7 2700X @ 4.2Ghz                                                                                     Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

Boot drive: Samsung 970 EVO plus 250GB            Second drive: Micron 1100 2TB         GPU: EVGA RTX 2080 ti Black edition @ 2Ghz

Case: Antec P8                                                                                                                    PSU: Antec HGC850

Link to post
Share on other sites

Definitely have to give the top password managers credit for how quick they are to address security holes when they're found. Companies in other tech fields could learn a thing or two from that.

Link to post
Share on other sites
2 hours ago, williamcll said:

To me the best way to remember passwords is just keeping them as hard copies inside a safe.

 

Doesn't help when you're not at home.

Link to post
Share on other sites
4 hours ago, williamcll said:

To me the best way to remember passwords is just keeping them as hard copies inside a safe.

I literally suggested this to my father last week. 


R9 3900x; 64GB RAM | RTX 2080 | 1.5TB Optane P4800x

1TB ADATA XPG Pro 8200 SSD | 2TB Micron 1100 SSD
HD800 + SCHIIT VALI | Topre Realforce Keyboard

Link to post
Share on other sites

First thing on the list is to not having LastPass at all, wasn't LassPass only a rebrand of some old one which got wrecked when data was exploited? By the way, from what I have seen, it took them 2 weeks to have it all patched. How many of incidents were there with LastPass? 5 in since 2011?

 

Am I only one who had it clear after an initial password managers research the most interesting is BitWarden? It supports all the platforms, works great and for us, F(remium)OSS-fans, it is open-source.

 

Edit: Couple of edits, I don't want to miss an opportunity to debunk "fan-favorite" "#1 Password Manager" and that only because "techtubers" tend to promote it, doesn't mean it is good.

Link to post
Share on other sites
9 hours ago, Derangel said:

 

Doesn't help when you're not at home.

Well at that point it's a total loss. 


Specifications:

Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

CPU: Ryzen 7 2700X @ 4.2Ghz                                                                                     Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

Boot drive: Samsung 970 EVO plus 250GB            Second drive: Micron 1100 2TB         GPU: EVGA RTX 2080 ti Black edition @ 2Ghz

Case: Antec P8                                                                                                                    PSU: Antec HGC850

Link to post
Share on other sites
4 hours ago, dropadred said:

First thing on the list is to not having LastPass at all, wasn't LassPass only a rebrand of some old one which got wrecked when data was exploited? By the way, from what I have seen, it took them 2 weeks to have it all patched. How many of incidents were there with LastPass? 5 in since 2011?

 

Am I only one who had it clear after an initial password managers research the most interesting is BitWarden? It supports all the platforms, works great and for us, F(remium)OSS-fans, it is open-source.

 

Edit: Couple of edits, I don't want to miss an opportunity to debunk "fan-favorite" "#1 Password Manager" and that only because "techtubers" tend to promote it, doesn't mean it is good.

Not sure about the first thing, can't find any info on it. As for the incidents, technically 6. Though, the first one in 2011 may or may not have been a serious incident. They discovered some weird traffic on one of their servers but nothing that fit a classic hack and disabled the server before suggesting users change their master passwords just in case.

 

Two weeks isn't that long, depending on what all needed to be done to narrow down what was causing the incident and what needed to be done to fix it. 8bit needed four months to fix the third-party javascript issue BitWarden had, sometimes fixes take longer than a day or two.

Link to post
Share on other sites
11 hours ago, Derangel said:

Definitely have to give the top password managers credit for how quick they are to address security holes when they're found. Companies in other tech fields could learn a thing or two from that.

their entire business is security.. so I would hope so. lol

 

it's the companies who have a product that does x not related to security that seem to have the most issues. it's usually just not the focus.


"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

"A redline a day keeps depression at bay" - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.4 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 and 2 x Seagate ST2000DM006 (in RAID 0 for games!) - The good old Corsair GS700 - Yamakasi Catleap 2703 27" 1440p and ASUS VS239H-P 1080p 23" - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

 

Avid Miata autocrosser :D

Link to post
Share on other sites
1 minute ago, bcredeur97 said:

their entire business is security.. so I would hope so. lol

 

it's the companies who have a product that does x not related to security that seem to have the most issues. it's usually just not the focus.

EVERYONE in the tech field should have security as a focus. There is no excuse for how poorly a lot of tech firms handle security these days, especially ones that deal with a lot of sensitive user data.

Link to post
Share on other sites
On 9/20/2019 at 9:01 PM, Derangel said:

EVERYONE in the tech field should have security as a focus. There is no excuse for how poorly a lot of tech firms handle security these days, especially ones that deal with a lot of sensitive user data.

Why should they care about security, if their customers just answer with "meh, whatever..." everytime their data gets leaked?

 

Anyway, I use Keepass, which is great, because I can control the data and everything runs locally.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×