And there’s also this little gem: https://twitter.com/taviso/status/758143119409885185
Full report sent to LastPass, they’re working on it now. Yes, it’s a complete remote compromise. Yes, I promise I’ll look at 1Password.
Hey that’s a sweet little attack.
Excuse me while I go disable auto fill.
“Wow that’s nice! wait shit.”
I’m sure glad that I’d already disabled it because I found it to be an annoying feature. Even worse with autologin (it autofills and submits) when you have multiple logins; I figured something like this was bound to happen sooner or later, but didn’t imagine the extent.
Wow, that regex-based URL parser makes me seriously question the code quality of the rest of their product. Glad I don’t use LastPass, or any other password manager linked to my browser.
they even awarded me with a bug bounty of $1,000
Only $1,000? This is like the worst possible bug he could have found.
I think this is the second attack on a password store I’ve heard about in 2 weeks, the other being KeePass. It’s beginning to look like the best way to store passwords in simply in a GPG-encrypted file (or with something like pass, which uses GPG encryption).
Do you have a link to the attack on KeePass?
Posted June 6th, so relatively recent.
The tl;dr of the attack vector is that KeePass updates over HTTP, so the payload can be MITM’d with an exploited KeePass client which leaks the user’s passwords.
Be super vigilant when it comes to using KeePass’s built-in auto-update mechanism!
These sorts of stories are a big reason I moved away from larger software to manage my passwords and simply migrated to pass (https://www.passwordstore.org/). I’m a huge fan of being able to have a 4096-SHA256 GPG encrypted flat store of my passwords/sensitive information. This way, no autofill but I can simply pass -c accountname and have the password on my clipboard. It’s dead simple, fast, and I now have unique random 32char passwords for EVERY. SINGLE. SERVICE. It really helps me sleep at night.
pass -c accountname
There is also rofi-pass which saves ya from having to fire up a terminal!
And an alternative not written in bash: freepass which seems to be getting iOS and Android apps!
aaaaand this is why I moved away from lastpass recently.
What did you move towards?
I like PasswordSafe by Bruce Schneier.