Security News Another Flaw in LastPass 2FA Implementation (Fixed)

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
"Lastpass pushed some initial fixes from day one and is working on identifying all CSRF vulnerable request (there were more). Disabling 2FA through the CSRF vulnerability was fixed by adding a CSRF token.

In terms of the the insecure 2FA design, they pushed a initial fix to check the Origin header. This will ensure that the request to obtain the QR Code can only come from lastpass.com. This is good as a immediate fix but does not work on older browser that don’t support the Origin header."

Full Details: Design flaws in Lastpass 2FA implementation - Martin Vigo
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
well i use lastpass and this kind of news about flaws in it worries me about my choice. every time a news is about a password manger its about lastpass!
Softwares are made by humans and humans make mistakes, forget things and bad guys take advantage of these flaws. Password Managers are very critical apps.
 

lab34

Level 6
Verified
Well-known
Mar 28, 2017
263
I think lastpass is a target because they are among the most popular.
I've about the same feeling about the flaws: they worried me, but Lastpass is working hard on hardening.

The same for my car. It was a new model, and it has many flaws the first year, but everytime they ask me to brought it back before something happen and they fixed it. So, many flaws, but many fixes. So, I'm not too worry.
 

tonibalas

Level 40
Verified
Honorary Member
Top Poster
Well-known
Sep 26, 2014
2,973
Popular products are targeted more often than less popular.
That's reason i have dropped Lastpass for over a year now, i knew this time will come.
Just to be clear i believe Lastpass is a great software but for myself i want to reduce my target area
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Generally, a discriminating factor to understand how to trust a software that has to do with the safety is to see if the developers have released or not, the source code. The availability of source code is a necessary condition so that anyone can verify the correctness of the implementation of the software.

The problem with this approach is, however, twofold:

- Open source password manager like Keepass typically have a less intuitive and comfortable user interface compared to password manager developed by companies. And because a password manager is a software that you can use multiple times per day, comfort is an essential aspect.

- As I said above, the publication of source code is a necessary condition for verifying the security of a software. Of course, it is not a sufficient condition, given that in any case someone actually does an audit of the code. Since the open source password manager are mainly developed by volunteers without large economic support, means you can not expect that the audit's work on these password managers is systematic and rigorous, but however this means greater control of the implementation.

On the other hand, the vendors of the password manager can pay a third party to do a scrupulous audit's work on code, on the architecture and the cloud platform on which they stored in the users password vault.

Unfortunately, there is always the problem that the code in this case is proprietary, and the companies hardly issue the results of the audit. There remains, therefore, a matter of trust, not indifferent. LastPass, for example, claims to have hired third-party companies to perform regular audits on their software (LastPass - Has LastPass been audited?), but without publish the results. And the link that offers on that page about who try to prove the security of LastPass without having the source code is not, in my opinion, very useful.

In any case, I would say that generally you can trust it. Using a password manager is certainly more secure than not using it, although you can make a judgment in a definitive manner on the security of the software. From this point of view, I would say the best criteria to choose a password manager rather than another one is the personal convenience.
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
An alternative:

Smart Lock
This is great for Android users, but @HarborFront might want to steer clear from this Google product. :p
I use a combination of LP and Smart Lock, as Google's password management is a lot better than before.
The only major concern is how easy it is to accidentally delete saved Passwords from Chrome browser.
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
This is one of the reasons why i dislike/avoid password managers.
I thought this article was about how LastPass implemented it's 2-Factor Authentication security.. and not the password manager itself? Am I mistaken?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top