Lastpass Security Reddit

And there are people on websites like GitHub and Reddit who will help you out if you get stuck. Winner: LastPass. The Bottom Line on LastPass vs. LastPass offers more features for free than practically any other password manager. That’s what I thought too before I decided to check out the security of the LastPass browser extension. For those who don’t know, LastPass is one of the world’s most popular password managers. I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked.

Lastpass Security Reddit

Note: This issue has already been resolved and pushed to the Lastpass users.

Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.

For those who don’t know, LastPass is one of the world’s most popular password managers.

I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked. A few cups of coffee later, I found something that looked really, really bad.

The issue

The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials.
However, the URL parsing code was flawed (bug in URL parsing? shocker!).

Lastpass

This was the code (lpParseUri function, un-minified):

By browsing this URL: http://avlidienbrunn.se/@twitter.com/@hehe.php the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurence of @, the actual domain is treated as the username portion of the URL.

Reddit

Too bad to be true?

Below you see that the extension would fill my form with the stored credentials for twitter.com. After that I could simply go through other commonly used sites and extract credentials for those too.

I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000.

Are passwords managers bad?

Should we stop using password managers? No. They are still much better than the alternative (password reuse).

Although, taking a second to disable autofill functionality is a good move because this isn’t the first autofill bug we’ve seen, and I doubt it will be the last.

Also, this would not work if multi factor authentication was on, so you should probably enable that as well.

Updates

Update #1 2016.07.28: There has been a lot of comments regarding the reward Mathias received from Lastpass. At the time Mathias submitted this they didn’t have a bug bounty so he was more than satisfied with $1,000.

Update #2 2016.07.28: Lastpass have made a comment regarding Mathias finding on their blog.

Author:


Mathias Karlsson

Security Researcher

Twitter:@avlidienbrunn

Exciting news, LastPass Authenticator users! And if you’ve been holding out on enabling this must-have security feature, we’ve got one more great reason you should turn on multifactor authentication today…

You can now back up your Authenticator data to your LastPass account, so the next time you upgrade or restore your iOS or Android phone you don’t have to re-pair anything. All your multifactor data will be automatically synced for you!

Cloud Backup = Superior Multifactor

Now, the potential inconveniences of a lost device shouldn’t keep you from turning on multifactor authentication (MFA).

Ever since we launched LastPass Authenticator last year, we’ve been focused on delivering an effortless authentication experience. Everyone should be using MFA; we believe it’s foundational to online security. By requiring additional verification before unlocking an account, you can better protect yourself from opportunistic hackers and fraudsters.

Is Lastpass Secure Reddit

With LastPass Authenticator’s new opt-in cloud backup feature, you can restore your multifactor tokens if you lose or upgrade your phone. Combined with our unique, one-tap verification experience, LastPass Authenticator gives you all the security you need from your MFA app, without any of the frustration. When using this new feature, you’re required to also protect your LastPass account with MFA.

If you’re not using LastPass Authenticator, it’s the perfect time to start. MFA can drastically improve the security of your most important accounts like Google, Outlook, Dropbox, Evernote, or Github. Think of it like Cinderella’s slipper. A lot of women could claim to be at the ball shortly before midnight (something she knows), but only her foot fits into the slipper (something she has).

Enabling Cloud Backup in LastPass Authenticator

Enabling backup is really easy. If you’ve already got LastPass Authenticator on your device, make sure you’ve updated to the latest version. In the app, open Settings from the side “hamburger” menu and toggle the “Backup to LastPass” option.

Note that this opt-in, backup feature requires a LastPass account (it’s free!). If you’re already signed in to LastPass via our password manager app, you’ll just get a message asking you to confirm the email address of the account. If not, you’ll be guided through the steps needed to download and/or sign in to the LastPass Password Manager app.

If you’re new to MFA and just getting started with LastPass Authenticator, you’ll get a prompt to enable backup after you add your first MFA account.

This opt-in, backup feature requires a free LastPass account, and does require you to enable MFA for your own LastPass vault.

Any changes you make in the Authenticator app are synced automatically to your LastPass account. If you add or remove an MFA account, edit the name, or even change the order in which the paired accounts appear on your device, we’ll save those changes for you. You can see the latest backup details from Settings.

Lastpass Security Reddit

Restoring from a Cloud Backup in LastPass Authenticator

Lastpass Security Challenge

When you get your shiny new phone—or finish restoring one that crashed—getting your MFA codes back in LastPass Authenticator takes only a few taps. When you launch LastPass Authenticator for the first time on the new device, you’ll have the choice of adding a new account manually, or restoring from backup. Tap the grey button, and we’ll ask you to confirm your LastPass account (if you’re logged in), or pass you over to the LastPass app to log in — both of these things require MFA.

Lastpass Review Reddit

Restoring takes only a couple seconds, and then LastPass Authenticator will be just as it was on your old device—all your accounts, in the order you want, named what you want.

Importantly, when you restore from a backup, it will affect which devices receive push notifications. For example, if you set up a new iPhone 7 from a backup of your iPhone 6, the iPhone 6 will no longer receive the verification notifications. In that case, only the iPhone 7 will receive the push notifications for one-tap logins. The codes generated on the iPhone 6 will still work if entered manually, however.

Lastpass Security Reddit Free

Get Secure Now

This new, opt-in feature increases convenience, but does not increase the level of risk to a user’s credentials stored within LastPass when their LastPass account is protected with multifactor authentication. As we said before, we encourage users to always turn on multifactor authentication on their LastPass account, and it’s required for using this feature. For more information, please read our FAQ.

Dashlane Vs Lastpass Reddit

Cloud backup is free in LastPass Authenticator for iOS and Android. Head to the App Store or Google Play today, and get started with effortless multifactor authentication!