Disable Auto-Fill for my whole account

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Disable Auto-Fill for my whole account

Postby yakatz » Wed Mar 14, 2012 11:43 pm

I had a password stolen because LastPass automatically filled in a phishing form (generated through an XSS attack) that used javascript to get the values without the page being submitted.
I have already disabled auto-fill in chorme, but I would rather not need to do it in every browser. It would be nice if there was a feature to completely disable it across my whole account.
(I know how the hack worked because the person showed me.)
yakatz
 
Posts: 4
Joined: Wed Mar 14, 2012 11:39 pm

Re: Disable Auto-Fill for my whole account

Postby sameer » Thu Mar 15, 2012 10:32 am

This is impossible unless the trusted site was compromised.
If you visit ebay.com and you went to a phishing site named ebaybad.com, LastPass will NOT fill in your ebay.com credentials into ebaybad.com's website.
So please clarify....maybe you didn't mean 'phishing'?

It would be nice if there was a feature to completely disable it across my whole account.


Some people want features enabled in one browser and not in another, so we make the options browser specific.
You'll have to set it in each browser you use.

Thanks.
sameer
Site Admin
 
Posts: 266
Joined: Tue Aug 19, 2008 9:43 pm
Location: Toronto, Canada

Re: Disable Auto-Fill for my whole account

Postby yakatz » Thu Mar 15, 2012 1:06 pm

sameer Wrote:This is impossible unless the trusted site was compromised.
If you visit ebay.com and you went to a phishing site named ebaybad.com, LastPass will NOT fill in your ebay.com credentials into ebaybad.com's website.
So please clarify....maybe you didn't mean 'phishing'?


The trusted site was vulnerable to cross-site scripting. The site I am talking is a forum. A user found that javascript in the forum posts was not being sanitized and created a copy of the login form in his post with some javascript that sent him the username and password every time the values were changed. Lastpass filled in the fake login form (because it matched the expected login form for that URL.)
yakatz
 
Posts: 4
Joined: Wed Mar 14, 2012 11:39 pm

Re: Disable Auto-Fill for my whole account

Postby sameer » Thu Mar 15, 2012 1:14 pm

Ah...ok...so it wasn't phishing, but a pure xss attack against the vulnerable website.
Even if you didn't have LastPass autofill, the hacker would get your credentials the next time you logged in.
Choosing not to autofill would not protect you as eventually you would log into the site and your info would be captured.

If a 3rd party site has been compromised or has an XSS vulnerability, then LastPass can only help by mitigating the damage:
Hopefully you used LastPass to generate a unique random password for the site so that none of your other sites are affected.

Thanks.
sameer
Site Admin
 
Posts: 266
Joined: Tue Aug 19, 2008 9:43 pm
Location: Toronto, Canada

Re: Disable Auto-Fill for my whole account

Postby yakatz » Thu Mar 15, 2012 1:27 pm

sameer Wrote:Even if you didn't have LastPass autofill, the hacker would get your credentials the next time you logged in.
Choosing not to autofill would not protect you as eventually you would log into the site and your info would be captured.

No, because the javascript can only load once you are already logged in. (It is a private forum.)

Either way, I can see other reasons that this feature (to completely disable auto-fill) might be useful. Maybe you will consider it for inclusion in the future.
yakatz
 
Posts: 4
Joined: Wed Mar 14, 2012 11:39 pm

Re: Disable Auto-Fill for my whole account

Postby kilgry » Thu Mar 15, 2012 5:18 pm

Does this setting play into it?

Go into LastPass --> Pull-down Menu --> Preferences --> Advance and the “Automatically login to sites if time since last login > (seconds)”

Is it possible LastPass filled out the false login request automatically because of this setting?
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: Disable Auto-Fill for my whole account

Postby yakatz » Thu Mar 15, 2012 5:22 pm

kilgry Wrote:Is it possible LastPass filled out the false login request automatically because of ____?

The point of my request is to have a way across my entire LastPass account to disable automatically filling out any form.
I know that I had auto-fill enabled before. It is now disabled in the Chrome extension, but I would like to completely disable it if possible.
yakatz
 
Posts: 4
Joined: Wed Mar 14, 2012 11:39 pm

Re: Disable Auto-Fill for my whole account

Postby kilgry » Thu Mar 15, 2012 5:44 pm

Understood, but even right now the autofill does not affect this other setting I mentioned.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm


Return to Feature Requests

Who is online

Users browsing this forum: Majestic-12 [Bot] and 23 guests