Submitted via IRC for Bytram
LastPass Fixes Bug That Leaks Credentials
The company has patched a vulnerability that could allow malicious sites unauthorized access to usernames and passwords.
LastPass has patched a bug that could potentially allow malicious websites to access a web user’s credentials from a previously visited site.
Tavis Ormandy, a vulnerability researcher from Google Project Zero, discovered the flaw in the LastPass password manager and published it on the project’s website on Aug. 29, rating it as “high.” He followed that up with a Twitter post warning web users about the bug on Sunday.
“LastPass could leak the last used credentials due to a cache not being updated,” Ormandy Tweeted. “This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!”
In other words, if a web user running LastPass entered credentials to one site and then surfed to another, the second site could have unauthorized access the username and password from the first site. If the second site is malicious, it could put the user at risk of cybercriminals.
Between the bug’s discovery and Ormandy’s Twitter announcement of the vulnerability, LastPass said it fixed the bug in a blog post dated Sept. 13. The company also diminished its severity.
[...] The bug isn’t the first that Ormandy discovered in the password management software. The Google researcher has been keeping LastPass’s security team on its toes in recent years.
In 2017, LastPass was prompted to patch three bugs that could allow for password theft thanks to Ormandy’s detective work. The year before that, Ormandy discovered a vulnerability in the password manager’s Firefox add-on that allows attackers remotely compromise it, which LastPass also subsequently fixed.
Also at: BleepingComputer
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 18 2019, @04:58PM (2 children)
"LastPass showed that its product does not do what it promises to do"
(Score: 4, Interesting) by DannyB on Wednesday September 18 2019, @05:24PM
Look what happened to Dmitry Sklyarov [wikipedia.org] for revealing that Adobe's e-book protection could be trivially broken.
Dimitry was in the US at a conference to show his findings. Adobe got wind of it, got the FBI to arrest him. He was stuck in the US for six months away from his wife and very young son. Because Adobe's product was grossly, neglegently defective.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Thursday September 19 2019, @01:06AM
You forgot: Again.
(Score: 0) by Anonymous Coward on Wednesday September 18 2019, @05:33PM (1 child)
"See what you get when you trust cloud services? Film at 11."
(Score: 2) by maxwell demon on Wednesday September 18 2019, @06:17PM
When you see the cloud, expect rain.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by mechanicjay on Wednesday September 18 2019, @08:36PM (2 children)
I thought it sounded like a terrible idea from a security standpoint. They certainly have not proven me wrong over the years.
My VMS box beat up your Windows box.
(Score: 0) by Anonymous Coward on Thursday September 19 2019, @01:20AM (1 child)
Weigh the differences. Garbage, reused passwords that you can remember, likely garbage passwords in a local password manager and hours keeping them synced across devices, or possibly decent passwords synced across devices with the risk that they may leak but no evidence they ever actually have.
Lastpass may have issues, but it's better than most people are doing with a password of "password".
(Score: 0) by Anonymous Coward on Thursday September 19 2019, @02:14AM
Hah, you insecure fools. My password is p4ssw0rd. They'll never guess that!
(Score: 0) by Anonymous Coward on Thursday September 19 2019, @01:03AM
The new name, best fiting, can be Je Ne Pas.