Last Pass exploit allows hackers to steal passwords and execute code

[2FA]

 

Quote

Developers of the widely used LastPass password manager are scrambling to fix a serious vulnerability that makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.

 

The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google's Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.

 

"It will take a long time to fix this properly," Ormandy said. "It's a major architectural problem. They have 90 days, no need to scramble!"

 

It's most likely that this exploit isn't in the wild yet.

 

Regardless, Last Pass has provided advice on how to protect yourself from this exploit until it is patched.

 

Quote

1. Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

2. Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.

3. Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts . Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer .

 

Article: https://arstechnica.com/security/2017/03/potent-lastpass-exploit-underscores-the-dark-side-of-password-managers/

Blog: https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

[AnonymousGuy]

And this is why I never trusted Lastpass, it's only a matter of time before an exploit gets found in any software, nowadays.

[2FA]

2 minutes ago, AnonymousGuy said:

And this is why I never trusted Lastpass, it's only a matter of time before an exploit gets found in any software, nowadays.

The actual service itself is secure. This an exploit in the client browser plugin which you technically don't have to use.

 

I have dozens of passwords in use, using Last Pass makes it a lot easier to manage and keep track of unique passwords with high entropy.

 

There's no way I could remember them off the top of my head and it's more secure than a spreadsheet or a piece of paper.

[Zodiark1593]

6 minutes ago, AnonymousGuy said:

And this is why I never trusted Lastpass, it's only a matter of time before an exploit gets found in any software, nowadays.

Any means to securely store numerous passwords/phrases then? 

[AnonymousGuy]

1 minute ago, Zodiark1593 said:

Any means to securely store numerous passwords/phrases then? 

Personally, Keepass with file key and password lock, and a long hashing/seeding/whatever it's called time so you can only guess about 1 password every 5 seconds even on a high performance desktop.

 

Most of my passwords I remember off the top of my head.  Entropy whatever doesn't matter if you need a leaky browser plugin to use it.

[captain_to_fire]

3 minutes ago, DeadEyePsycho said:

The actual service itself is secure. This an exploit in the client browser plugin which you technically don't have to use.

 

I have dozens of passwords in use, using Last Pass makes it a lot easier to manage and keep track of unique passwords with high entropy.

 

There's no way I could remember them off the top of my head and it's more secure than a spreadsheet or a piece of paper.

Not to mention it's only $12 every year. So I'll disable the Chrome extension at the moment and stick to the app, which is ugly by the way on Windows. 

[2FA]

2 minutes ago, AnonymousGuy said:

Personally, Keepass with file key and password lock, and a long hashing/seeding/whatever it's called time so you can only guess about 1 password every 5 seconds even on a high performance desktop.

 

Most of my passwords I remember off the top of my head.  Entropy whatever doesn't matter if you need a leaky browser plugin to use it.

That's all well and good but what happens when you have multiple machines in different locations that you use and need access to those passwords?

 

I could also be extremely paranoid with my passwords if I really wanted to but there is the accessibility factor that everyone forgets about. The point of proper security is finding the right balance between confidentiality, integrity, and accessibility for the given situation.

[imreloadin]

8 minutes ago, AnonymousGuy said:

Personally, Keepass with file key and password lock, and a long hashing/seeding/whatever it's called time so you can only guess about 1 password every 5 seconds even on a high performance desktop.

 

Most of my passwords I remember off the top of my head.  Entropy whatever doesn't matter if you need a leaky browser plugin to use it.

Keepass FTW! I have my number of "key encryption rounds" as it's called in the program set to 1,067,550,720 which just so happens to be how many my 4690K can do in one minute. Then I have each account saved in there with passwords 35 randomly generated characters, or the max allowed for that website.

 

Do I have to wait a minute for it to load before I can get any password I need from it, yes. Does it inconvenience me in the slightest, not a chance

[Mira Yurizaki]

I'm too lazy to find the page, but LastPass said by accessing the website through the vault, it's fine. Or something.

 

Either way, you can disable your plugin and if you need the password, get it from the vault.

[EminentSun]

I find it ironic that they put two links in the section telling people to not click on links.

[2FA]

Just now, EminentSun said:

I find it ironic that they put two links in the section telling people to not click on links.

They said not to click on links from sources you don't know. 

 

There's nothing ironic about it.

[Guest Kloaked]

37 minutes ago, AnonymousGuy said:

And this is why I never trusted Lastpass, it's only a matter of time before an exploit gets found in any software, nowadays.

May as well disconnect from the internet if you're so paranoid. The 4Chan Hacker will come for you since you didn't donate to the church of Pepe.

 

I do realize that there is some form of sanity in protecting what's yours, but if someone were to target your shit they're most likely going to get it, LastPass user or not.

[Belgarathian]

RIP Linus

[samiscool51]

1 hour ago, DeadEyePsycho said:

(bump)

ouch...

and thats why i don't use lastpass for anything

(that and the work polices i have set up don't allow any password saving methods via a browser or third party)

[goodtofufriday]

1 hour ago, DeadEyePsycho said:

The actual service itself is secure. This an exploit in the client browser plugin which you technically don't have to use.

 

I have dozens of passwords in use, using Last Pass makes it a lot easier to manage and keep track of unique passwords with high entropy.

 

There's no way I could remember them off the top of my head and it's more secure than a spreadsheet or a piece of paper.

I remember this many passwords and routinely phase them out. I dont get how this is difficult to do. 

 

If anything a hard copy tucked away somewhere is more secure than a program on a pc. Unless you leave the paper sitting out somewhere. 

[2FA]

3 minutes ago, goodtofufriday said:

I remember this many passwords and routinely phase them out. I dont get how this is difficult to do. 

 

If anything a hard copy tucked away somewhere is more secure than a program on a pc. Unless you leave the paper sitting out somewhere. 

So you're saying you remember that many passwords that are like this?

 

d8H&97q

4$%g7$A

xVl%9uS

[goodtofufriday]

Just now, DeadEyePsycho said:

So you're saying you remember that many passwords that are like this?

 

d8H&97q

9$%g7$A

xVl%9uS

I take a word I can remember, usually from an asian language in its alphabetic form, and apply caps, numbers and special chatacters.  

 

So Say Dobutsu (animal) would become D06u&72u 

And at any given time I memorize at least 10 passwords in this fashion, 

[Zodiark1593]

12 minutes ago, goodtofufriday said:

I remember this many passwords and routinely phase them out. I dont get how this is difficult to do. 

 

If anything a hard copy tucked away somewhere is more secure than a program on a pc. Unless you leave the paper sitting out somewhere. 

A mentally kept password is protected by law (with the exception that the other party can prove or testify what the contents of an encrypted volume are). A password written down is afforded no such protection. Where data is encrypted, ensuring no hard copies of the password exists can effectively stall a cyber forensics operation. 

 

Thus, I make a habit of not writing down any important passwords. 

[Guest Darth Revan]

1 hour ago, Zodiark1593 said:

Any means to securely store numerous passwords/phrases then? 

Your brain.

[goodtofufriday]

11 minutes ago, Zodiark1593 said:

A mentally kept password is protected by law (with the exception that the other party can prove or testify what the contents of an encrypted volume are). A password written down is afforded no such protection. Where data is encrypted, ensuring no hard copies of the password exists can effectively stall a cyber forensics operation. 

 

Thus, I make a habit of not writing down any important passwords. 

I wonder where that puts services like SSO at.  

[4960X]

keepass > everything

[Zodiark1593]

18 minutes ago, goodtofufriday said:

I wonder where that puts services like SSO at.  

Useful for online accounts where data involved is in the hands of a (trusted?) third party anyway. For data that is important enough to make an encrypted container for, the password and data lives and dies with me (or at least until I choose to provide password/decrypted data). 

 

Of course, I could upload the encrypted container to the cloud or via email (with it's own password), and limit what the third party can access. 

[kiska3]

56 minutes ago, DeadEyePsycho said:

So you're saying you remember that many passwords that are like this?

 

d8H&97q

4$%g7$A

xVl%9uS

Yes I can, I made my LastPass password using their password generator

[kasugatei]

I am also a big KeePass fan. It works, it is secure and it's code is audited by lots of people.

If you want secure and trusted cryptography, go for the open source solutions.

[Sakkura]

5 hours ago, goodtofufriday said:

I take a word I can remember, usually from an asian language in its alphabetic form, and apply caps, numbers and special chatacters.  

 

So Say Dobutsu (animal) would become D06u&72u 

And at any given time I memorize at least 10 passwords in this fashion, 

That password is too short. Probably already in the rainbow tables. A decent password would look more like this:

 

G)N"5v0>oB=$zi}.doCZ=9O"0`kv