Page 1 of 1

Firefox Addon cannot login fully and allows backdoor access

PostPosted: Wed Aug 21, 2019 10:19 am
by motty953
My Firefox Addon stopped being able to login about a week ago.
My settings for Firefox are set to delete cookies and block third party ones and delete all cache on exit as well as use private tabs.

When trying to login - I enter user and password and never get prompted for 2-factor, where the addon seems to remain stuck. However, it seems it is partially logged in and allows me to access my settings all without the 2-factor authentication. This seems like a major security flaw - that allows a login without an account 2-factor authentication. In addition - Access to vault seems stuck - Very annoying.

An email to support got a response that basically told me to remove all security settings from my browser. When I wrote back support, this is a major security issue - support went silent and has not responded to any subsequent emails.

As a result, I've started evaluating other password managers. Seems like Lastpass is the only one that has issues with these security and privacy settings.

Is there anyone out there that was able to get Firefox working with Lastpass with reasonable security? Anyone else saw the partial login security flaw?


Re: Firefox Addon cannot login fully and allows backdoor acc

PostPosted: Wed Aug 21, 2019 11:59 am
by jpenny84
Your security settings are a likely cause. Cookies are required to create and maintain a session. You'll either have to figure out what to whitelist, or consider using the standalone program.

Re: Firefox Addon cannot login fully and allows backdoor acc

PostPosted: Wed Aug 21, 2019 3:08 pm
by motty953
What's weird is I've had these settings for years - but only now, with the newest version of the addon it broke. In addition, I've tested Keeper, 1Password and Dashlane and they all seem to be fine with the same exact settings. What's even worse is it allows a partial login without a 2F authentication at all, which circumvents the entire purpose of 2F. So all a hacker needs to do is enable these security settings on the browser and voila - he can gain access to my account and get to the admin interface with only a password.

Re: Firefox Addon cannot login fully and allows backdoor acc

PostPosted: Thu Aug 22, 2019 8:02 am
by SamuelJ
Hi @motty953,

FYI I just now had a similar issue with my LastPass extension for Firefox. After some mucking around and multiple attempts, I think I managed to get the add-on to update and that seems to have fixed the problem. Might be worth removing/reinstalling the addon to see if that helps.

On the topic of "2FA bypass", it sounds like you've gotten into the "offline access". This is a reasonable security pattern if you think about it (though I can't speak for the implementation). Since you've logged into the device before, it acts as the second factor ("something you have"/computer + "something you know"/password) for offline data, but it will still require your mobile authenticator to resume ongoing online access to your account. Importantly, this won't work for some hacker in a foreign country - they will still need the 2FA code before the addon will download any of your vault data (assuming this is implemented correctly).

From a security standpoint, note that this data is already on the device, and your password is the decryption key, so giving you access is reasonable (it's just user-friendly access to what's already there). Personally I reckon it should give you a clearer option to wipe local data on logout. Nevertheless, in general you should assume that unless you've performed a cryptographically secure wipe then your data is still left on the device. If that concerns you then you should be using disk encryption, BitLocker, etc.

You're right about the cookies. It's weird that an add-on/browser extension would stop working because of this because it has other (more robust) ways it can persist data.

Hope that helps!