Security News Another Flaw in LastPass 2FA Implementation (Fixed)

[Ink]

"Lastpass pushed some initial fixes from day one and is working on identifying all CSRF vulnerable request (there were more). Disabling 2FA through the CSRF vulnerability was fixed by adding a CSRF token.

In terms of the the insecure 2FA design, they pushed a initial fix to check the Origin header. This will ensure that the request to obtain the QR Code can only come from lastpass.com. This is good as a immediate fix but does not work on older browser that don’t support the Origin header."

Full Details: Design flaws in Lastpass 2FA implementation - Martin Vigo

 

[frogboy]

Pleased that it is fixed again.

 

[Winter Soldier]

Pleased that it is fixed again.

The problem is between a fix and the next one, but we have to be optimistic

 

[Game Of Thrones]

well i use lastpass and this kind of news about flaws in it worries me about my choice. every time a news is about a password manger its about lastpass!

 

[Winter Soldier]

well i use lastpass and this kind of news about flaws in it worries me about my choice. every time a news is about a password manger its about lastpass!

Softwares are made by humans and humans make mistakes, forget things and bad guys take advantage of these flaws. Password Managers are very critical apps.

 

[Game Of Thrones]

Softwares are made by humans and humans make mistakes, forget things and bad guys take advantage of these flaws. Password Managers are very critical apps.

i know but QA is a task that they should do too!!

 

[lab34]

I think lastpass is a target because they are among the most popular.
I've about the same feeling about the flaws: they worried me, but Lastpass is working hard on hardening.

The same for my car. It was a new model, and it has many flaws the first year, but everytime they ask me to brought it back before something happen and they fixed it. So, many flaws, but many fixes. So, I'm not too worry.

 

[Ink]

i know but QA is a task that they should do too!!

Time to switch from LastPass and throw the passwords list into your Safe and throw away the key.

 

[Game Of Thrones]

Time to switch from LastPass and throw the passwords list into your Safe and throw away the key.

 

[tonibalas]

Popular products are targeted more often than less popular.
That's reason i have dropped Lastpass for over a year now, i knew this time will come.
Just to be clear i believe Lastpass is a great software but for myself i want to reduce my target area

 

[Winter Soldier]

Generally, a discriminating factor to understand how to trust a software that has to do with the safety is to see if the developers have released or not, the source code. The availability of source code is a necessary condition so that anyone can verify the correctness of the implementation of the software.

The problem with this approach is, however, twofold:

- Open source password manager like Keepass typically have a less intuitive and comfortable user interface compared to password manager developed by companies. And because a password manager is a software that you can use multiple times per day, comfort is an essential aspect.

- As I said above, the publication of source code is a necessary condition for verifying the security of a software. Of course, it is not a sufficient condition, given that in any case someone actually does an audit of the code. Since the open source password manager are mainly developed by volunteers without large economic support, means you can not expect that the audit's work on these password managers is systematic and rigorous, but however this means greater control of the implementation.

On the other hand, the vendors of the password manager can pay a third party to do a scrupulous audit's work on code, on the architecture and the cloud platform on which they stored in the users password vault.

Unfortunately, there is always the problem that the code in this case is proprietary, and the companies hardly issue the results of the audit. There remains, therefore, a matter of trust, not indifferent. LastPass, for example, claims to have hired third-party companies to perform regular audits on their software (LastPass - Has LastPass been audited?), but without publish the results. And the link that offers on that page about who try to prove the security of LastPass without having the source code is not, in my opinion, very useful.

In any case, I would say that generally you can trust it. Using a password manager is certainly more secure than not using it, although you can make a judgment in a definitive manner on the security of the software. From this point of view, I would say the best criteria to choose a password manager rather than another one is the personal convenience.

 

[Urusen]

Pleased that it is fixed again.

Same here.

 

[FreddyFreeloader]

An alternative:

Smart Lock

 

[Ink]

An alternative:

Smart Lock

This is great for Android users, but @HarborFront might want to steer clear from this Google product.
I use a combination of LP and Smart Lock, as Google's password management is a lot better than before.
The only major concern is how easy it is to accidentally delete saved Passwords from Chrome browser.

 

[Andytay70]

This is one of the reasons why i dislike/avoid password managers.

 

[Ink]

This is one of the reasons why i dislike/avoid password managers.

I thought this article was about how LastPass implemented it's 2-Factor Authentication security.. and not the password manager itself? Am I mistaken?

 

[lab34]

An alternative:

Smart Lock

Xiaomi is advertising the same thing between the Xiaomi Mi Band (watch) and the Mi Book Air (windows 10 notebook).