Page 1 of 1

Share password vulnerability found

PostPosted: Tue Sep 10, 2019 9:45 pm
by drahgon55226
I found a major bug in your share feature. If the user is using Google Chrome password manager and last pass once a user logs in to a shared password site Google password manager offers to save the password and there is an icon that lets the user see the hidden shared password. Please disable, fix or warn users of this vulnerability.

Re: Share password vulnerability found

PostPosted: Tue Sep 10, 2019 10:35 pm
by jpenny84
This has been noted in the sharing documentation for quite some time now. It's not really a vulnerability since LastPass has zero control over a password once it is released from the password manager into the browser. Best practice is to be aware of this and share accordingly.

Re: Share password vulnerability found

PostPosted: Tue Sep 10, 2019 11:20 pm
by FlyingHawk
This has always been noted in docs.
See https://support.logmeininc.com/lastpass ... 0007#About
It's not bug or vulnerability because it is the expected behaviour. It can only be considered as a limitation.

I personally think LastPass should just remove the "hidden shared password" "feature". It's just an impossible feature that brings users a false sense of security that is actually beyond LastPass's threat model.