I filed the below case with LastPass support. They replied with a canned link to a KB article suggesting I use the setting "Account Logoff on Browser Close". That's not my issue, as you'll see below. Like another poster here, I looked for a formal channel to report security issues but found nothing, so this is my best option. This is written to LastPass, but also to other readers/users of LastPass. Has anyone else stumbled over the behaviour I experienced below?
We deploy all our domain computers using SCCM, so all machines have the identical OS and software configuration, including Firefox and LastPass.
Today I logged onto a particular domain computer for the first time, using my own domain credentials. As I did, I could see the name of the person who had last logged into Windows on this computer (I'll call her Debi) the day before.
After Windows logged me in and presented my desktop, I opened IE, and then I launched Firefox. When Firefox launched, the LastPass extension/toolbar was apparently not present (I have found this is common when installing LastPass using the universal installer with plug-ins included). So I opened the Firefox add-on manager and added the LastPass extension manually.
The LastPass icon in Firefox lit up red right away, indicating that I was logged in. However, I quickly noticed that I was not logged into my own LastPass account (firstname.lastname@example.org
). I was logged into LastPass as Debi, the person who had used this computer yesterday.
I know what you're probably thinking; she must
have used my domain login yesterday instead of her own. Not so! I'm the domain admin. She absolutely DOES NOT have and COULD NOT use my credentials to log into Windows yesterday. I can further verify this because I actually had to provide her with tech support yesterday and she was very obviously logged into Windows as herself.
How is it possible that LastPass in Firefox logged me into another Windows/LastPass user's account *automatically* when I logged into Windows and opened FireFox for the first time on this machine? IIUC, the locally-cached password vault for LastPass is stored within the user's profile folders of the logged in user. For this to happen across user profile boundaries is a HUGE security concern! If I was somehow automatically logged into HER LastPass account when I used the computer right after her, is the next person who logs into this computer after me going to automatically be logged into MY LastPass account?? This CANNOT happen.
Thanks, please let me know your thoughts. This is a big deal.