Share password vulnerability found

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Share password vulnerability found

Postby drahgon55226 » Tue Sep 10, 2019 9:45 pm

I found a major bug in your share feature. If the user is using Google Chrome password manager and last pass once a user logs in to a shared password site Google password manager offers to save the password and there is an icon that lets the user see the hidden shared password. Please disable, fix or warn users of this vulnerability.
drahgon55226
 
Posts: 1
Joined: Tue Sep 10, 2019 9:30 pm

Re: Share password vulnerability found

Postby jpenny84 » Tue Sep 10, 2019 10:35 pm

This has been noted in the sharing documentation for quite some time now. It's not really a vulnerability since LastPass has zero control over a password once it is released from the password manager into the browser. Best practice is to be aware of this and share accordingly.
jpenny84
 
Posts: 8663
Joined: Tue Mar 06, 2012 9:10 pm

Re: Share password vulnerability found

Postby FlyingHawk » Tue Sep 10, 2019 11:20 pm

This has always been noted in docs.
See https://support.logmeininc.com/lastpass ... 0007#About
It's not bug or vulnerability because it is the expected behaviour. It can only be considered as a limitation.

I personally think LastPass should just remove the "hidden shared password" "feature". It's just an impossible feature that brings users a false sense of security that is actually beyond LastPass's threat model.
FlyingHawk
 
Posts: 790
Joined: Wed Mar 18, 2015 12:04 pm


Return to Feedback

Who is online

Users browsing this forum: Google [Bot] and 9 guests