Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

PSA: LastPass Does Not Encrypt Everything in Your Vault

Accepted submission by exec at 2017-01-22 02:25:23
News

Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [HackerNews]

Time: 2017-01-19 17:21:50 UTC

Original URL: https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032?gi=ce27d77bd7a3 [hackernoon.com] using utf-8 encoding.

Title: PSA: LastPass Does Not Encrypt Everything in Your Vault

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
 
 

PSA: LastPass Does Not Encrypt Everything in Your Vault

Arthur T Knackerbracket has found the following story [hackernoon.com]:

As a software engineer and long time LastPass user, I’ve always been an advocate of password managers. With data breaches becoming more and more common these days, it’s critical that we take steps to protect ourselves online. However, over the past year LastPass has made some decisions that have made me question their motives and ultimately has recently caused them to lose my business.

Last year LastPass introduced a new redesign of their vault in which they added nice pretty logos of all the sites in your vault.

This got me wondering, if LastPass is encrypting all of my data before it goes to their servers (like they claim) how are they able to show these logos to me when rendering the vault webpage? I turned to my browser’s developer tools to find out.

Here is the data being sent to LastPass when I save a site in my vault for Google.com:

As we can see name, grouping (the folder), username, and password all contain AES encrypted data in the form of:

However, that URL property doesn’t look like an encrypted string to me.

Whenever I save a site on a different LastPass account for Google.com, we see this:

As you can see, all accounts are saving the same unprotected, hexadecimal encoded stringfor Google.com:

Which when decoded is:

LastPass then uses this encoded string to render a logo for all sites in your vault for Google. I reached out to LastPass support inquiring about this and received the same canned response that’s repeated all over their website:

This is concerning for a couple of reasons:

Some people may not really care about this information being sent to LastPass unencrypted since their usernames and passwords are still protected properly, however, I think that LastPass is deceiving it’s users when they make the current claims that they do. Some users may be more conscience about their privacy and are unknowingly submitting their identifying private data to LastPass. Who knows what they are doing with the data that they have?

I’ve since moved to a more transparent, open source password manager that I can trust and I haven’t regretted it. Check out https://bitwarden.com [bitwarden.com] for a comparable free alternative to LastPass.

how hackers start their afternoons.

-- submitted from IRC


Original Submission