Huge security vulnerability - please fix!

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantie, robyn, JoeSiegrist

Huge security vulnerability - please fix!

Postby agreenbhm » Sat Aug 11, 2012 11:15 am

I discovered a security vulnerability in the LastPass Android app. I'm running Android 4.0.4 (ICS). In ICS, if you long-press the home key (or press the "window switch key"), all of your recently used apps appear to scroll through and select. These apps show thumbnails of the app when you were last in it. If you are in LastPass and then switch to another app, the thumbnail for LastPass will be the last screen you were on. Usually this is a screen displaying passwords (if you were in LastPass to copy a password to paste into another app). As a result, the recently used programs thumbnail will DISPLAY YOUR PASSWORDS WITHOUT RE-AUTHENTICATING, even if you have settings to auto-logout and/or re-prompt for password or PIN.

Someone that opens the recently used apps list can now see whatever password you were looking up. Of course, this would require someone to have physical access to your phone and be able to use it (ie no lockscreen password or otherwise), however, many people don't secure their lockscreen and leave their phones all over the place, especially at work, meaning someone could easily pick up a phone lying around and view the password.

Please fix ASAP. If this is an Android issue unable to be fixed, perhaps add a LP feature to blackout the screen when you switch to another app, causing the thumbnail to be a blank image.
agreenbhm
 
Posts: 10
Joined: Sat Aug 11, 2012 11:08 am

Re: Huge security vulnerability - please fix!

Postby Lars » Sat Aug 11, 2012 12:15 pm

Why would your password be visible if you merely copied it..??
Just long-press the site in question and select "copy password".
There's absolutely no need to see the password in plaintext.
Lars
 
Posts: 2170
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Huge security vulnerability - please fix!

Postby agreenbhm » Sat Aug 11, 2012 12:18 pm

Lars wrote:Why would your password be visible if you merely copied it..??
Just long-press the site in question and select "copy password".
There's absolutely no need to see the password in plaintext.


Incorrect. If you store passwords in the "notes" section for sites or for secure notes, you need to view the pw to copy it.
agreenbhm
 
Posts: 10
Joined: Sat Aug 11, 2012 11:08 am

Re: Huge security vulnerability - please fix!

Postby agreenbhm » Sat Aug 11, 2012 12:20 pm

agreenbhm wrote:
Lars wrote:Why would your password be visible if you merely copied it..??
Just long-press the site in question and select "copy password".
There's absolutely no need to see the password in plaintext.


Incorrect. If you store passwords in the "notes" section for sites or for secure notes, you need to view the pw to copy it.


And for that matter, any "secure notes" that you're looking at are vulnerable, too. Maybe it's not just a password you want to protect...
agreenbhm
 
Posts: 10
Joined: Sat Aug 11, 2012 11:08 am

Re: Huge security vulnerability - please fix!

Postby agreenbhm » Sat Aug 11, 2012 12:23 pm

Lars wrote:Why would your password be visible if you merely copied it..??
Just long-press the site in question and select "copy password".
There's absolutely no need to see the password in plaintext.


Sorry to keep replying, but I'm shocked that this is your response. The fact that you don't need to view them in plaintext completely misses the point. A security vulnerability doesn't need to be something that comes up often; the vulnerability is there, so it should be fixed. If 1% of your users are subjected to this, that's 1% too many.
agreenbhm
 
Posts: 10
Joined: Sat Aug 11, 2012 11:08 am

Re: Huge security vulnerability - please fix!

Postby Lars » Sat Aug 11, 2012 12:32 pm

No need to be shocked.. I'm extremely anal when it comes to security and am of the firm believe that it all starts with the user taking personal responsibility of their actions - this includes not leaving anything out in the open (as in a password in plaintext).

Yes, it should be fixed, but I still don't consider this a "Huge security vulnerability".
Lars
 
Posts: 2170
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Huge security vulnerability - please fix!

Postby agreenbhm » Sat Aug 11, 2012 12:39 pm

Lars wrote:No need to be shocked.. I'm extremely anal when it comes to security and am of the firm believe that it all starts with the user taking personal responsibility of their actions - this includes not leaving anything out in the open (as in a password in plaintext).

Yes, it should be fixed, but I still don't consider this a "Huge security vulnerability".


I disagree; I think it's bigger than you're giving it credit. Most LP users are NOT security-conscious folks. Simply using LP is about as security-conscious as they're going to get. I know that I need to protect myself by closing out of the app, but what about those that are totally unaware of this?

I agree that security is my responsibility, however, customers rely on LP to secure them, and this is a gaping hole in a product people pay for so they don't need to worry about security. (Again, I'm not talking about myself, I'm talking about casual users).
agreenbhm
 
Posts: 10
Joined: Sat Aug 11, 2012 11:08 am

Re: Huge security vulnerability - please fix!

Postby Lars » Sat Aug 11, 2012 12:45 pm

For this "Huge security vulnerability" to happen, you'd need to be looking up a password, viewing it in plaintext, then lose your phone (if only for a brief moment), then have a thief steal your one password.

I know you disagree, but to me, this doesn't pose a "Huge security vulnerability".

agreenbhm wrote:I agree that security is my responsibility, however, customers rely on LP to secure them, and this is a gaping hole in a product people pay for so they don't need to worry about security.

Anyone deciding not to worry about security, gets exactly what they're doing.. No security. I know it sounds harsh, but it's a sad reality, without user involvement, security isn't going to happen.
Lars
 
Posts: 2170
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Huge security vulnerability - please fix!

Postby jpenny84 » Sat Aug 11, 2012 1:07 pm

If you were on an online banking website last in your web browser, someone could see the screen capture of your financial information in the app switcher. I always advocate setting a passcode or pattern lock on mobile phones. It's inconvenient and you don't get access to Android's neat lock screen, but people carry too much of their lives on smartphones and should lock them down.
jpenny84
 
Posts: 1646
Joined: Tue Mar 06, 2012 9:10 pm

Re: Huge security vulnerability - please fix!

Postby agreenbhm » Sat Aug 11, 2012 1:11 pm

jpenny84 wrote:If you were on an online banking website last in your web browser, someone could see the screen capture of your financial information in the app switcher. I always advocate setting a passcode or pattern lock on mobile phones. It's inconvenient and you don't get access to Android's neat lock screen, but people carry too much of their lives on smartphones and should lock them down.


I agree completely (about the lockscreen), however, in reality many people don't use that and won't. And as far as a banking site goes, yes, account numbers or balances could be captured, but not plaintext passwords. I don't think this is apples-to-apples. Still a good point, though.
agreenbhm
 
Posts: 10
Joined: Sat Aug 11, 2012 11:08 am

Next

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 7 guests