SoylentNews is people
SoylentNews
from the catpturing-the-keys-to-your-kingdom dept.
LastPass patched three separate bugs that affected its Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website.
All bugs were discovered by Tavis Ormandy, a security researcher working for Google's Project Zero.
One bug affected the LastPass for Chrome extension, while the other two affected the company's Firefox add-on.
The vulnerability affecting the LastPass Chrome extension can be exploited by attacking an intermediary JS script that stands between the user's browser and the LastPass cloud service, where the company stores user passwords.
"It's possible to proxy untrusted messages to LastPass 4.1.42 due to a bug, allowing websites to access internal privileged RPCs (Remote Procedure Calls). " Ormandy explained. "There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords. If you have the 'Binary Component' installed, this even allows arbitrary code execution."
The second and third bugs Ormandy discovered affect the LastPass Firefox add-on version 3.3.2 only. LastPass told Ormandy that version 3.3.2 is their most popular version.
Despite this, two weeks ago, LastPass announced they were retiring the LastPass Firefox add-on v3.3.2 because of Firefox's future plans to drop the old Add-ons API and move to a new system they call WebExtensions. The LastPass Chrome and Firefox extensions don't use the same version numbers, and the v3 on Firefox is the stable branch.
Just like the Chrome extension issue, the exploitation vector for these two issues is malicious JavaScript code that can be hidden in any online website, owned by the attacker or via a compromised legitimate site.
Source: BleepingComputer
(Score: 0) by Anonymous Coward on Saturday March 25 2017, @10:32AM (5 children)
Password Safe on Windows.
Password Gorilla on Linux.
The database was developed by Bruce Schneider, a cryptographer.
(Score: 0) by Anonymous Coward on Saturday March 25 2017, @10:36AM (1 child)
Bruce Schneier that is. F#cking autocorrect.
(Score: 0) by Anonymous Coward on Sunday March 26 2017, @07:15AM
Given his job, It's probably Schneider, he introduced a misspelling to affect identity stealing attacks. :^)
(Score: 0) by Anonymous Coward on Saturday March 25 2017, @10:53AM (2 children)
Why insist on a solution that reinvents the wheel? In cryptography that's a bad thing, even if it's Schneier doing it.
Password store is a simple shell wrapper around gpg, so worst case you can always get your passwords out of it manually, runs on basically any OS, GUIs are separate from the security relevant part, you get multi-user support which is great for teams or keeping a backup key in a safe somewhere, you can use smartcards to reduce the risk of using it on a device you don't fully trust etc.
(Score: 1) by Scruffy Beard 2 on Saturday March 25 2017, @07:22PM (1 child)
automatic tedious work is what computers excel at.
I am right now putting off using GPG to decode a pass word because of all the steps involved.
(Score: 0) by Anonymous Coward on Sunday March 26 2017, @12:26PM
Why deal with the tedium again?