Whats up with these vulnerabilities?

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Whats up with these vulnerabilities?

Postby jordan928 » Tue Mar 24, 2020 6:30 pm

jordan928
 
Posts: 27
Joined: Sun Apr 12, 2015 5:05 pm

Re: Whats up with these vulnerabilities?

Postby jpenny84 » Tue Mar 24, 2020 9:42 pm

If you read the actual paper, the potential issues reported to the vendors were either fixed or deemed to be low priority.
jpenny84
 
Posts: 9125
Joined: Tue Mar 06, 2012 9:10 pm

Multiple password-manager flaws permit password theft

Postby van619 » Wed Mar 25, 2020 5:48 pm

Can u please reply with how LastPass is addressing the LastPass flaws expressed in this article?

https://www.tomsguide.com/news/password-manager-hacks

What can i do to stay safe? Not use Chrome or the Android App?

Thanks,
Van Hallman
van619
 
Posts: 1
Joined: Fri Dec 23, 2016 10:20 am

Re: Multiple password-manager flaws permit password theft

Postby jpenny84 » Wed Mar 25, 2020 6:04 pm

van619 Wrote:Can u please reply with how LastPass is addressing the LastPass flaws expressed in this article?

https://www.tomsguide.com/news/password-manager-hacks

What can i do to stay safe? Not use Chrome or the Android App?

Thanks,
Van Hallman


I would recommend reading the research. Besides the fact that this is old news (the versions they tested were from 2017), the researchers reported what they found to the vendors and they were either addressed, or deemed to be a low priority.

The people reporting on this are doing so to generate website traffic.
jpenny84
 
Posts: 9125
Joined: Tue Mar 06, 2012 9:10 pm

...widely used password managers have serious flaws

Postby musorbox » Thu Mar 26, 2020 2:37 pm

https://www.tomsguide.com/news/password-manager-hacks
I know, <tomsguide> IS NOT major cyber-security news source, but anyway, it's part of my news feed, delivered automatically by Google.
I've been LastPass loyal customer for more than 5 years, and it never failed me... Would like to see prompt respond to such news from respected LastPass team!
Thanks!!! 8-)
musorbox
 
Posts: 1
Joined: Thu Mar 26, 2020 2:26 pm

Re: ...widely used password managers have serious flaws

Postby jpenny84 » Thu Mar 26, 2020 4:13 pm

musorbox Wrote:https://www.tomsguide.com/news/password-manager-hacks
I know, <tomsguide> IS NOT major cyber-security news source, but anyway, it's part of my news feed, delivered automatically by Google.
I've been LastPass loyal customer for more than 5 years, and it never failed me... Would like to see prompt respond to such news from respected LastPass team!
Thanks!!! 8-)


The article is basically clickbait to generate site traffic. If you read the research, it is based on extension/app versions from 2017. Also, the vendors were notified, and the issues were either fixed, or deemed to be low priority.
jpenny84
 
Posts: 9125
Joined: Tue Mar 06, 2012 9:10 pm

Re: Whats up with these vulnerabilities?

Postby glennd » Fri Mar 27, 2020 11:37 am

The vulnerability detailed in this research was originally reported to us in 2018 and at that time we implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack. While continued efforts from the web and Android communities will also be required, our app requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted. Additionally, based on our findings, this type of vulnerability would not only require a significant amount of effort on the side of the attacker but also a significant number of mistakes to be made by a user. Generally speaking, there is always some risk if installing apps from unknown sources, which is why it is recommended to only install apps which are known to be safe from the official Google Play store.

We are constantly evaluating ways to improve the autofill flow to protect our users while still offering a convenient login experience. If the user wants to be in control of the credential filling, this option is available as an extension preference setting and, for Enterprise users, as a policy. Additionally, users are not required to use pageload autofill with LastPass, who can disable autofill by visiting extension and clicking Account Options >Extension Preferences and deselecting the Automatically fill login information box. It is also always in the user’s best interest to enable MFA for all online accounts, including LastPass, since it can protect them further. As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible.

Glenn Dobson | Community Leader, Social Support
LogMeInInc.com
glennd
 
Posts: 28
Joined: Fri Apr 26, 2019 1:41 pm


Return to Feedback

Who is online

Users browsing this forum: No registered users and 22 guests