Page 1 of 1

Whats up with these vulnerabilities?

PostPosted: Tue Mar 24, 2020 6:30 pm
by jordan928

Re: Whats up with these vulnerabilities?

PostPosted: Tue Mar 24, 2020 9:42 pm
by jpenny84
If you read the actual paper, the potential issues reported to the vendors were either fixed or deemed to be low priority.

Multiple password-manager flaws permit password theft

PostPosted: Wed Mar 25, 2020 5:48 pm
by van619
Can u please reply with how LastPass is addressing the LastPass flaws expressed in this article?

https://www.tomsguide.com/news/password-manager-hacks

What can i do to stay safe? Not use Chrome or the Android App?

Thanks,
Van Hallman

Re: Multiple password-manager flaws permit password theft

PostPosted: Wed Mar 25, 2020 6:04 pm
by jpenny84
van619 Wrote:Can u please reply with how LastPass is addressing the LastPass flaws expressed in this article?

https://www.tomsguide.com/news/password-manager-hacks

What can i do to stay safe? Not use Chrome or the Android App?

Thanks,
Van Hallman


I would recommend reading the research. Besides the fact that this is old news (the versions they tested were from 2017), the researchers reported what they found to the vendors and they were either addressed, or deemed to be a low priority.

The people reporting on this are doing so to generate website traffic.

...widely used password managers have serious flaws

PostPosted: Thu Mar 26, 2020 2:37 pm
by musorbox
https://www.tomsguide.com/news/password-manager-hacks
I know, <tomsguide> IS NOT major cyber-security news source, but anyway, it's part of my news feed, delivered automatically by Google.
I've been LastPass loyal customer for more than 5 years, and it never failed me... Would like to see prompt respond to such news from respected LastPass team!
Thanks!!! 8-)

Re: ...widely used password managers have serious flaws

PostPosted: Thu Mar 26, 2020 4:13 pm
by jpenny84
musorbox Wrote:https://www.tomsguide.com/news/password-manager-hacks
I know, <tomsguide> IS NOT major cyber-security news source, but anyway, it's part of my news feed, delivered automatically by Google.
I've been LastPass loyal customer for more than 5 years, and it never failed me... Would like to see prompt respond to such news from respected LastPass team!
Thanks!!! 8-)


The article is basically clickbait to generate site traffic. If you read the research, it is based on extension/app versions from 2017. Also, the vendors were notified, and the issues were either fixed, or deemed to be low priority.

Re: Whats up with these vulnerabilities?

PostPosted: Fri Mar 27, 2020 11:37 am
by glennd
The vulnerability detailed in this research was originally reported to us in 2018 and at that time we implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack. While continued efforts from the web and Android communities will also be required, our app requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted. Additionally, based on our findings, this type of vulnerability would not only require a significant amount of effort on the side of the attacker but also a significant number of mistakes to be made by a user. Generally speaking, there is always some risk if installing apps from unknown sources, which is why it is recommended to only install apps which are known to be safe from the official Google Play store.

We are constantly evaluating ways to improve the autofill flow to protect our users while still offering a convenient login experience. If the user wants to be in control of the credential filling, this option is available as an extension preference setting and, for Enterprise users, as a policy. Additionally, users are not required to use pageload autofill with LastPass, who can disable autofill by visiting extension and clicking Account Options >Extension Preferences and deselecting the Automatically fill login information box. It is also always in the user’s best interest to enable MFA for all online accounts, including LastPass, since it can protect them further. As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible.

Glenn Dobson | Community Leader, Social Support
LogMeInInc.com