Page 1 of 1

Security Bug Report - Cross User Profile Login!

PostPosted: Thu Jul 18, 2019 11:17 am
by DragonRand69
I filed the below case with LastPass support. They replied with a canned link to a KB article suggesting I use the setting "Account Logoff on Browser Close". That's not my issue, as you'll see below. Like another poster here, I looked for a formal channel to report security issues but found nothing, so this is my best option. This is written to LastPass, but also to other readers/users of LastPass. Has anyone else stumbled over the behaviour I experienced below?

We deploy all our domain computers using SCCM, so all machines have the identical OS and software configuration, including Firefox and LastPass.

Today I logged onto a particular domain computer for the first time, using my own domain credentials. As I did, I could see the name of the person who had last logged into Windows on this computer (I'll call her Debi) the day before.

After Windows logged me in and presented my desktop, I opened IE, and then I launched Firefox. When Firefox launched, the LastPass extension/toolbar was apparently not present (I have found this is common when installing LastPass using the universal installer with plug-ins included). So I opened the Firefox add-on manager and added the LastPass extension manually.

The LastPass icon in Firefox lit up red right away, indicating that I was logged in. However, I quickly noticed that I was not logged into my own LastPass account (myusername@mydomain.com). I was logged into LastPass as Debi, the person who had used this computer yesterday.

I know what you're probably thinking; she must have used my domain login yesterday instead of her own. Not so! I'm the domain admin. She absolutely DOES NOT have and COULD NOT use my credentials to log into Windows yesterday. I can further verify this because I actually had to provide her with tech support yesterday and she was very obviously logged into Windows as herself.

How is it possible that LastPass in Firefox logged me into another Windows/LastPass user's account *automatically* when I logged into Windows and opened FireFox for the first time on this machine? IIUC, the locally-cached password vault for LastPass is stored within the user's profile folders of the logged in user. For this to happen across user profile boundaries is a HUGE security concern! If I was somehow automatically logged into HER LastPass account when I used the computer right after her, is the next person who logs into this computer after me going to automatically be logged into MY LastPass account?? This CANNOT happen.

Thanks, please let me know your thoughts. This is a big deal.

B

Re: Security Bug Report - Cross User Profile Login!

PostPosted: Thu Jul 18, 2019 12:06 pm
by jpenny84
Make sure that nobody has login state sharing turned on.

Re: Security Bug Report - Cross User Profile Login!

PostPosted: Thu Jul 18, 2019 12:11 pm
by DragonRand69
jpenny84 Wrote:Make sure that nobody has login state sharing turned on.


We use login state sharing because we run multiple browsers and it's convenient for users. But login state should only be shared with other browsers within a given user profile no? It wouldn't (and I don't understand how it even *could*) share the login state with browser sessions in *another* user's Windows profile. Please correct me if I'm wrong.

Re: Security Bug Report - Cross User Profile Login!

PostPosted: Thu Jul 18, 2019 1:10 pm
by FlyingHawk
Level one support always provides canned responses (I suspect that's all they're allowed to). You must nag them to escalate the ticket to a higher level to get a proper response.

Re: Security Bug Report - Cross User Profile Login!

PostPosted: Thu Jul 18, 2019 3:30 pm
by DragonRand69
FlyingHawk Wrote:Level one support always provides canned responses (I suspect that's all they're allowed to). You must nag them to escalate the ticket to a higher level to get a proper response.


Thanks for the heads-up. I've replied to their canned email response to say that their response did not answer my question, and asking to reopen the case (if needed) and to escalate.

Re: Security Bug Report - Cross User Profile Login!

PostPosted: Fri Jul 19, 2019 12:31 pm
by Bex
DragonRand69 Wrote:I filed the below case with LastPass support. They replied with a canned link to a KB article suggesting I use the setting "Account Logoff on Browser Close". That's not my issue, as you'll see below. Like another poster here, I looked for a formal channel to report security issues but found nothing, so this is my best option. This is written to LastPass, but also to other readers/users of LastPass. Has anyone else stumbled over the behaviour I experienced below?

We deploy all our domain computers using SCCM, so all machines have the identical OS and software configuration, including Firefox and LastPass.

Today I logged onto a particular domain computer for the first time, using my own domain credentials. As I did, I could see the name of the person who had last logged into Windows on this computer (I'll call her Debi) the day before.

After Windows logged me in and presented my desktop, I opened IE, and then I launched Firefox. When Firefox launched, the LastPass extension/toolbar was apparently not present (I have found this is common when installing LastPass using the universal installer with plug-ins included). So I opened the Firefox add-on manager and added the LastPass extension manually.

The LastPass icon in Firefox lit up red right away, indicating that I was logged in. However, I quickly noticed that I was not logged into my own LastPass account (myusername@mydomain.com). I was logged into LastPass as Debi, the person who had used this computer yesterday.

I know what you're probably thinking; she must have used my domain login yesterday instead of her own. Not so! I'm the domain admin. She absolutely DOES NOT have and COULD NOT use my credentials to log into Windows yesterday. I can further verify this because I actually had to provide her with tech support yesterday and she was very obviously logged into Windows as herself.

How is it possible that LastPass in Firefox logged me into another Windows/LastPass user's account *automatically* when I logged into Windows and opened FireFox for the first time on this machine? IIUC, the locally-cached password vault for LastPass is stored within the user's profile folders of the logged in user. For this to happen across user profile boundaries is a HUGE security concern! If I was somehow automatically logged into HER LastPass account when I used the computer right after her, is the next person who logs into this computer after me going to automatically be logged into MY LastPass account?? This CANNOT happen.

Thanks, please let me know your thoughts. This is a big deal.

B


Hi,

Thank you for bringing this to our attention. After reviewing the ticket you submitted for the issue you are experiencing with LastPass while using SCCM. It is confirmed that LastPass unfortunately does NOT provide support for SCCM due to the nature of SCCM. As an alternative, you can try to troubleshoot and resolve this issue you are experiencing with Microsoft support.

-Bex

Re: Security Bug Report - Cross User Profile Login!

PostPosted: Fri Jul 19, 2019 12:59 pm
by DragonRand69
Bex,

Thanks for your reply. I only mentioned SCCM to highlight that we deploy LastPass consistently to all computers. We have not experienced this issue before. The issue is with LastPass. SCCM is not involved in the daily operation of LastPass at all. We deploy LastPass using the commandline, in accordance with the documentation LastPass provides to admins for deployment.

Since we are deploying by following the admin documentation provided by LastPass, please explain how this is a Microsoft issue.

Please take responsibility for the secure operation of your product.

Thanks,
Bryan

Re: Security Bug Report - Cross User Profile Login!

PostPosted: Fri Jul 19, 2019 2:07 pm
by Bex
DragonRand69 Wrote:Bex,

Thanks for your reply. I only mentioned SCCM to highlight that we deploy LastPass consistently to all computers. We have not experienced this issue before. The issue is with LastPass. SCCM is not involved in the daily operation of LastPass at all. We deploy LastPass using the commandline, in accordance with the documentation LastPass provides to admins for deployment.

Since we are deploying by following the admin documentation provided by LastPass, please explain how this is a Microsoft issue.

Please take responsibility for the secure operation of your product.

Thanks,
Bryan


Hi Bryan,

Thank you for following up and providing more details on your situation. My apologies for disconnect on my part as the ticket unfortunately did not share that LastPass Commandline was in use as well. With that said, I have escalated your ticket to the next tier so you can receive more in depth support to resolve this issue.

Thank you for your patience as we strive to resolve this issue to your satisfaction.
-Bex