Lastpass on Android security issue

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Lastpass on Android security issue

Postby oh531 » Fri Nov 21, 2014 5:54 pm

This is very troubling:

http://arstechnica.com/security/2014/11 ... g-attacks/

This issue totally defeats the purpose of having a password manager. Anybody who value their online safety should NOT use Lastpass, or similarly working password managers, on Android.

I hope Lastpass at least inform their users of this issue, seeing how serious it is.
oh531
 
Posts: 11
Joined: Fri Jun 21, 2013 12:00 pm

Re: Lastpass on Android security issue

Postby Lars » Fri Nov 21, 2014 6:45 pm

You should not use the clipboard. It's not a LastPass issue, but a clipboard issue.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Lastpass on Android security issue

Postby oh531 » Fri Nov 21, 2014 6:54 pm

Lastpass uses the clipboard for its functionality. Not me. Please read the article.
oh531
 
Posts: 11
Joined: Fri Jun 21, 2013 12:00 pm

Re: Lastpass on Android security issue

Postby jpenny84 » Fri Nov 21, 2014 7:24 pm

Looking at the replies that @LastPassHelp on Twitter is sending to the dozens of people who linked them the article:

1. This has been addressed in Android 5.0 Lollipop
2. LastPass is working on a fix to the problem in a future update.
3. Use the LastPass keyboard if you are concerned.
jpenny84
 
Posts: 8866
Joined: Tue Mar 06, 2012 9:10 pm

Re: Lastpass on Android security issue

Postby oh531 » Fri Nov 21, 2014 8:07 pm

jpenny84 Wrote:Looking at the replies that @LastPassHelp on Twitter is sending to the dozens of people who linked them the article:

1. This has been addressed in Android 5.0 Lollipop
2. LastPass is working on a fix to the problem in a future update.
3. Use the LastPass keyboard if you are concerned.


All the things you mention are great. But Lastpass users need to be made aware of them.
Most Lastpass users don't follow their twitter, so It would be better if Lastpass would send a
mail to all its users, and advice them of the useful keyboard workaround you mention.

Even if the issue isn't strictly Lastpass' fault, being open and honest about things is
always good, and in this case, many users could be saved from malware stealing
clipboard content, if they knew about the keyboard way.

Anyway, those are my 2 cents. Thanks!
oh531
 
Posts: 11
Joined: Fri Jun 21, 2013 12:00 pm

Re: Lastpass on Android security issue

Postby bimmerdriver » Sat Nov 22, 2014 2:35 pm

I've been using LastPass for a while, but I haven't committed to it. It's only on one of my computers, not on my Android phone, and I'm not using it for all of my accounts, particularly not for important accounts, such as banking. The response to this issue by LastPass is precisely why I've been hesitant. The fact that the CEO dismissively blamed the security issue on the Android clipboard and suggested that users should only run "trusted apps", does nothing to increase my trust in LastPass, either the software or the company. I get the impression that LastPass knew about this issue all along, but knowingly decided not to inform users. This is the opposite way that LastPass should have handled this issue. Rather than sweeping it under the carpet, LastPass should have put the security of its users first and informed them of the issue.

I can't help but wonder why LastPass is using the Android clipboard if it's not secure. Apparently it's not used on the Windows Phone version, so why on the Android version?
bimmerdriver
 
Posts: 61
Joined: Sat Sep 06, 2014 2:06 pm

Re: Lastpass on Android security issue

Postby Lars » Sat Nov 22, 2014 2:44 pm

They did in fact address the issue. Take a look at their tweets etc.
LastPass is by far the most open and responsive company when it comes to weaknesses in their product. They actually want to improve their product.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Lastpass on Android security issue

Postby SuffolkPunch » Sun Nov 23, 2014 2:15 pm

Lars Wrote:They did in fact address the issue. Take a look at their tweets etc.
LastPass is by far the most open and responsive company when it comes to weaknesses in their product. They actually want to improve their product.


I'm a LastPass Premium Member who doesn't use Twitter. Of course, I could go to https://twitter.com/LastPassHelp every day and trawl through the the tweets in the off chance there's something useful...but that's too inefficient!

It would be good to have a more in-depth technical explanation of this issue, rather than the limited detail that a tweet can impart!
In particular, more info on these two statements:
1. This has been addressed in Android 5.0 Lollipop
2. LastPass is working on a fix to the problem in a future update.

Is that greater depth available anywhere?
SuffolkPunch
 
Posts: 3
Joined: Sun Feb 26, 2012 4:17 am
Location: UK

Re: Lastpass on Android security issue

Postby bimmerdriver » Sun Nov 23, 2014 3:11 pm

Lars Wrote:They did in fact address the issue. Take a look at their tweets etc.
LastPass is by far the most open and responsive company when it comes to weaknesses in their product. They actually want to improve their product.

Firstly, like many people, I don't use twitter and probably never will. Lastpass should not rely upon users following their twitter feed for important security bulletins. Lastpass has the email address for all of their users. I get lots of emails from Lastpass, but nothing on this important issue.

Secondly, based on the arstechnica article, I would not call the company open and responsive. They knew, or should have known, about the problem for a long time, but didn't disclose it and they still haven't fixed it. The comment that users should not use "untrusted" applications is practically insulting. An application requires no privileges to read the clipboard. Any application can do it.

Thirdly, relying upon lollipop to fix the issue means that many users will not get a fix for months, or longer, or never.
bimmerdriver
 
Posts: 61
Joined: Sat Sep 06, 2014 2:06 pm

Re: Lastpass on Android security issue

Postby jpenny84 » Sun Nov 23, 2014 3:42 pm

I checked social media because the article was released on Friday afternoon and I was expecting the paranoid to flock in here over the weekend demanding an immediate answer.
jpenny84
 
Posts: 8866
Joined: Tue Mar 06, 2012 9:10 pm

Next

Return to Feature Requests

Who is online

Users browsing this forum: Google Feedfetcher and 18 guests