LastPass Forums

[oh531]

This is very troubling:

http://arstechnica.com/security/2014/11 ... g-attacks/

This issue totally defeats the purpose of having a password manager. Anybody who value their online safety should NOT use Lastpass, or similarly working password managers, on Android.

I hope Lastpass at least inform their users of this issue, seeing how serious it is.

[Lars]

You should not use the clipboard. It's not a LastPass issue, but a clipboard issue.

[oh531]

Lastpass uses the clipboard for its functionality. Not me. Please read the article.

[jpenny84]

Looking at the replies that @LastPassHelp on Twitter is sending to the dozens of people who linked them the article:

1. This has been addressed in Android 5.0 Lollipop
2. LastPass is working on a fix to the problem in a future update.
3. Use the LastPass keyboard if you are concerned.

[oh531]

Looking at the replies that @LastPassHelp on Twitter is sending to the dozens of people who linked them the article:

1. This has been addressed in Android 5.0 Lollipop
2. LastPass is working on a fix to the problem in a future update.
3. Use the LastPass keyboard if you are concerned.

All the things you mention are great. But Lastpass users need to be made aware of them.
Most Lastpass users don't follow their twitter, so It would be better if Lastpass would send a
mail to all its users, and advice them of the useful keyboard workaround you mention.

Even if the issue isn't strictly Lastpass' fault, being open and honest about things is
always good, and in this case, many users could be saved from malware stealing
clipboard content, if they knew about the keyboard way.

Anyway, those are my 2 cents. Thanks!

[bimmerdriver]

I've been using LastPass for a while, but I haven't committed to it. It's only on one of my computers, not on my Android phone, and I'm not using it for all of my accounts, particularly not for important accounts, such as banking. The response to this issue by LastPass is precisely why I've been hesitant. The fact that the CEO dismissively blamed the security issue on the Android clipboard and suggested that users should only run "trusted apps", does nothing to increase my trust in LastPass, either the software or the company. I get the impression that LastPass knew about this issue all along, but knowingly decided not to inform users. This is the opposite way that LastPass should have handled this issue. Rather than sweeping it under the carpet, LastPass should have put the security of its users first and informed them of the issue.

I can't help but wonder why LastPass is using the Android clipboard if it's not secure. Apparently it's not used on the Windows Phone version, so why on the Android version?

[Lars]

They did in fact address the issue. Take a look at their tweets etc.
LastPass is by far the most open and responsive company when it comes to weaknesses in their product. They actually want to improve their product.

[SuffolkPunch]

They did in fact address the issue. Take a look at their tweets etc.
LastPass is by far the most open and responsive company when it comes to weaknesses in their product. They actually want to improve their product.

I'm a LastPass Premium Member who doesn't use Twitter. Of course, I could go to https://twitter.com/LastPassHelp every day and trawl through the the tweets in the off chance there's something useful...but that's too inefficient!

It would be good to have a more in-depth technical explanation of this issue, rather than the limited detail that a tweet can impart!
In particular, more info on these two statements:
1. This has been addressed in Android 5.0 Lollipop
2. LastPass is working on a fix to the problem in a future update.

Is that greater depth available anywhere?

[bimmerdriver]

They did in fact address the issue. Take a look at their tweets etc.
LastPass is by far the most open and responsive company when it comes to weaknesses in their product. They actually want to improve their product.

Firstly, like many people, I don't use twitter and probably never will. Lastpass should not rely upon users following their twitter feed for important security bulletins. Lastpass has the email address for all of their users. I get lots of emails from Lastpass, but nothing on this important issue.

Secondly, based on the arstechnica article, I would not call the company open and responsive. They knew, or should have known, about the problem for a long time, but didn't disclose it and they still haven't fixed it. The comment that users should not use "untrusted" applications is practically insulting. An application requires no privileges to read the clipboard. Any application can do it.

Thirdly, relying upon lollipop to fix the issue means that many users will not get a fix for months, or longer, or never.

[jpenny84]

I checked social media because the article was released on Friday afternoon and I was expecting the paranoid to flock in here over the weekend demanding an immediate answer.