[UPDATED] LastPass vulnerability (make sure it's up to date)

[colonel_mortis]

Source: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

For update: https://blog.lastpass.com/2016/07/lastpass-security-updates.html/

 

If you use LastPass, please make sure it's up to date (though the vulnerability appears to have been fixed a while ago) if you use Firefox, action is required. See below for details

Quote

By browsing this URL: http://avlidienbrunn.se/@twitter.com/@hehe.php the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurence of @, the actual domain is treated as the username portion of the URL.

The attack then involved adding form fields to the page so that they would be autofilled by the extension, and the contents can then be extracted using a script running on the page.

The vulnerability has been patched by LastPass, but obviously the fact that it exists at all is concerning.

To prevent any autofill vulnerabilities from affecting you in future, you can disable autofilling the fields (you click a button instead) in your LastPass settings.

 

== UPDATE ==

LastPass has now published a blog post explaining this issue, as well as disclosing a new critical vulnerability that affects users of the Firefox version of the addon. If you are using Firefox, you urgently need to update the extension from https://lastpass.com/lastpassffx

This vulnerability was reported to LastPass by Google security researcher Tavis Ormandy yesterday, and the update was released a few hours ago. The full details of the exploit have not yet been disclosed, but it was described as a "message-hijacking bug". To understand what that means, you need to understand how a browser extension like LastPass works - a script runs inside a sandbox with access to the page, but no access to any of the extension's settings or private data ("content script"), while another script runs with no access to the web content but with access to all of the private data, settings, etc ("main script"). The two scripts communicate by sending messages to one another, allowing the web script to get data from the main script, and to modify settings/private data/etc.

This vulnerability means that a malicious website can cause arbitrary messages to be sent from the content script to the main script, allowing the malicious website to get your passwords or modify the contents of your vault.

Thanks to @lubblig for notifying me about the update.

Edited July 27, 2016 by colonel_mortis

[CostcoSamples]

Yikes.  That is very concerning.  Another reason to make sure all your various logins have a unique password I guess, and keep the master password very secure.

[colonel_mortis]

Just now, CostcoSamples said:

Yikes.  That is very concerning.  Another reason to make sure all your various logins have a unique password I guess, and keep the master password very secure.

That is obviously a really good practice, but in this particular case it wouldn't have helped.

[manikyath]

my keepass file is kept very secure, i have nothing to worry about

 

joking aside, (yes, thats actually where my keepass file is, btw.) that is a very, very worrying thing to have existed.

[DevilishBooster]

1 minute ago, manikyath said:

-pic snip-

my keepass file is kept very secure, i have nothing to worry about

 

joking aside, (yes, thats actually where my keepass file is, btw.) that is a very, very worrying thing to have existed.

I should get one of those.... I have a bunch of 3.5" floppies sitting in a case on my shelf.

[manikyath]

Just now, DevilishBooster said:

I should get one of those.... I have a bunch of 3.5" floppies sitting in a case on my shelf.

takes a year and a half for keepass to load the database tho

[DevilishBooster]

Just now, manikyath said:

takes a year and a half for keepass to load the database tho

Doesn't matter, still secure.

[manikyath]

Just now, DevilishBooster said:

Doesn't matter, still secure.

well, they can steal your passwords, but its not like they're gonna be able to even get the file off of the floppy in the first place

[Centurius]

17 minutes ago, manikyath said:

well, they can steal your passwords, but its not like they're gonna be able to even get the file off of the floppy in the first place

They don't copy that floppy.

[Qub3d]

Step 1: Enable 2FA on everything you can

Step 2: Use some unique passwords. That's the point of a password manager, right?

[79wjd]

2 minutes ago, Qub3d said:

Step 1: Enable 2FA on everything you can

Step 2: Use some unique passwords. That's the point of a password manager, right?

Until 2 factor authentication is deemed insecure: http://www.techspot.com/news/65728-sms-based-two-factor-authentication-phased-out.html

[Qub3d]

6 minutes ago, djdwosk97 said:

Until 2 factor authentication is deemed insecure: http://www.techspot.com/news/65728-sms-based-two-factor-authentication-phased-out.html

SMS-based 2FA. Use Google Authenticator.

[Centurius]

18 minutes ago, djdwosk97 said:

Until 2 factor authentication is deemed insecure: http://www.techspot.com/news/65728-sms-based-two-factor-authentication-phased-out.html

It's still more secure to have a password AND 2FA than just a password. The two aren't mutually exclusive.

[lubblig]

Seems like there is another bug in LastPass, although this one has yet to be patched. It's a Zero day exploit that allegedly enables a remote hacker to completely compromise a Lastpass account

Quote

A critical zero-day flaw has been discovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely.

So far there aren't really any proof as far as I can tell, only a security expert claiming the fact. Although it's the Google employee (Project Zero team), Tavis Ormandy, who made the report and has reported the bug to Lastpass, so it's likely not a hoax. Since it has just been found out though, the "how it was done", has yet to be released for Lastpass to have time to patch it.

Source: http://thehackernews.com/2016/07/lastpass-password-manager.html

 

@colonel_mortis You may want to update the OP or make a new post (I thought I'd just leave a comment as you are probably better at explaining the situation than I am)

 

EDIT: It seems Lastpass has fixed the issue and an update is available. Read the OP for more details.

[Doobeedoo]

Oh, good it's up to date.

[ogretactics]

Good post. Hadn't read this. LastPass updated

[goodtofufriday]

Why even store passwords exactly?? I cant imagine giving someone a possible single point of entry into all of my accounts. 

[colonel_mortis]

1 hour ago, goodtofufriday said:

Why even store passwords exactly?? I cant imagine giving someone a possible single point of entry into all of my accounts. 

Because the alternative is to reuse the same password on multiple sites, so if one of them gets hacked, all the other accounts on other sites get compromised too. And no, using a variant of the password depending on the site (eg p@ssw0rd-facebook for facebook and p@ssw0rd-twitter for twitter) is barely more secure, because attackers have learnt to expect it.

[goodtofufriday]

5 minutes ago, colonel_mortis said:

Because the alternative is to reuse the same password on multiple sites, so if one of them gets hacked, all the other accounts on other sites get compromised too. And no, using a variant of the password depending on the site (eg p@ssw0rd-facebook for facebook and p@ssw0rd-twitter for twitter) is barely more secure, because attackers have learnt to expect it.

I personally have 7 different passwords that I've memorized and rotate through. Occasionally I'll retire one after its been some time. This would be the best alternative, but I guess we cant ask most people to do that.

[TetraSky]

8 minutes ago, goodtofufriday said:

I personally have 7 different passwords that I've memorized and rotate through. Occasionally I'll retire one after its been some time. This would be the best alternative, but I guess we cant ask most people to do that.

I did that before as well, but then one website got hacked into, account info got leaked, suddenly I had to change the same password used on that I had to reuse on others services(20+). Because you will run out of unique passwords very quickly and I ain't about to remember 87+ unique passwords (according to keepass)

So now I really only need to remember a single very strong password and make sure I don't have a keylogger on my PC. (Though a certain feature of Keepass also protects your main password from that while entering it)