Do you use LastPass?

[Tactile]

Looks like a security problem has been discovered.

https://it.slashdot.org/story/16/07/27/1342205/lastpass-accounts-can-be-completely-compromised-when-users-visit-sites

[Spopepro]

I'm not worried... yet. There aren't any specifics out yet, and I've always been kind of wierded out by the idea that Google employs a team of zero-day researches who are paid to look at other companies products. And while they don't release the details until 90 after contacting the company or a fix is in place, they appear to be free to brag about their work on social media.

In any case, LP has the report and is working on it. In the mean time, probably don't enable autofill because that's where problems were last time, and is a likely culprit again.

[romevi]

Yes.

[Coreda]

I'm not worried... yet. There aren't any specifics out yet.

Yes there are, it's in the blog post.

LastPass have since released a statement that it only affects Firefox and v4.0 of the addon. v3.0 of the addon is unaffected (thankfully, since v4.0 doesn't even work on my install).

The exploit made it possible for any site to collect a user's login credentials using some scripting and special URLs. Such URLs could be made to trick LastPass into autofilling login information on sites that they weren't intended for, which could be collected by the site.

Until LastPass issued the response this was honestly a more worrying vulnerability than having their database hacked imo as there are many users who unwittingly were stuck using older versions, even with addon auto updates enabled.

[kenmai9]

Don't even safe passwords in your browser.

This is how I got $400 stolen.

Someone used my saved credentials (via teamviewer, which had a huge security breach) to buy fkn gift cards from ebay/paypal, amazon and google).

I disputed all of them, but the only one who didn't budge is ****ing google.

I had to use my CC dispute on them.

I got it all back though.

But yeah. Don't save your passwords, and don't use teamviewer unattended access (i had set it up in college, but forgot to turn it off).

[Spopepro]

I'm not worried... yet. There aren't any specifics out yet.

Yes there are, it's in the blog post.

LastPass have since released a statement that it only affects Firefox and v4.0 of the addon. v3.0 of the addon is unaffected (thankfully, since v4.0 doesn't even work on my install).

The exploit made it possible for any site to collect a user's login credentials using some scripting and special URLs. Such URLs could be made to trick LastPass into autofilling login information on sites that they weren't intended for, which could be collected by the site.

Until LastPass issued the response this was honestly a more worrying vulnerability than having their database hacked imo as there are many users who unwittingly were stuck using older versions, even with addon auto updates enabled.

No, that's a different issue, and as the post says has been patched. The one from the article linked at the top claims to be a new zero-day.

[Coreda]

No, that's a different issue, and as the post says has been patched. The one from the article linked at the top claims to be a new zero-day.

You're correct. Had assumed it was the same vulnerability, though it's worth noting the details of that one as well.

Don't even safe passwords in your browser.

This is how I got $400 stolen.

Someone used my saved credentials (via teamviewer, which had a huge security breach) to buy fkn gift cards from ebay/paypal, amazon and google).

But yeah. Don't save your passwords, and don't use teamviewer unattended access (i had set it up in college, but forgot to turn it off).

This is more an issue with Teamviewer than a compelling reason not to use password managers. Sucks all the same.

[kenmai9]

No, that's a different issue, and as the post says has been patched. The one from the article linked at the top claims to be a new zero-day.

You're correct. Had assumed it was the same vulnerability, though it's worth noting the details of that one as well.

Don't even safe passwords in your browser.

This is how I got $400 stolen.

Someone used my saved credentials (via teamviewer, which had a huge security breach) to buy fkn gift cards from ebay/paypal, amazon and google).

But yeah. Don't save your passwords, and don't use teamviewer unattended access (i had set it up in college, but forgot to turn it off).

This is more an issue with Teamviewer than a compelling reason not to use password managers. Sucks all the same.

Its both. If I didn't A. set up teamviewer unattended access and B. save my passwords, this wouldn't have happened.

[Spopepro]

Lastpass says: https://blog.lastpass.com/2016/07/lastpass-security-updates.html/?utm_source=TWITTER&utm_medium=social&utm_term=Customer%20Serviced-tAnswering%20CS&utm_content=20160727d-t20160727174627

So it sounds like, as usual, you need active user intervention to allow for the exploit to happen. So not worried.

Again, I have to wonder what Tavis Ormandy is trying to do. He makes a tweet saying:

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

And then sends a bunch of press releases out (within an hour or two, the register, Forbes, and a bunch of media outlets had a story up), and it turns out it's more social engineering than anything else to get it to work. And all of this while officially working for Google. It makes me somewhat uneasy.

[chuckdee]

^ Same here.

[pmck]

Lastpass says: https://blog.lastpass.com/2016/07/lastpass-security-updates.html/?utm_source=TWITTER&utm_medium=social&utm_term=Customer%20Serviced-tAnswering%20CS&utm_content=20160727d-t20160727174627

So it sounds like, as usual, you need active user intervention to allow for the exploit to happen. So not worried.

Again, I have to wonder what Tavis Ormandy is trying to do. He makes a tweet saying:

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

And then sends a bunch of press releases out (within an hour or two, the register, Forbes, and a bunch of media outlets had a story up), and it turns out it's more social engineering than anything else to get it to work. And all of this while officially working for Google. It makes me somewhat uneasy.

Yeah pretty mcuh, the exploit required you to click a fraudulent link and have it harvest the auto fill. Really nothing more dangerous than a normal phishing link