Zero day hole can pwn millions of LastPass users, all that's needed is a malicious site

P

PEllis

Thread author
A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, whichThe Register has been told can completely compromise user accounts.

Many millions of users can right now be compromised by merely visiting a malicious website, we understand.

This allows attackers complete access to user accounts in which hundreds and thousands of passwords are stored.

Read more: Zero day hole can pwn millions of LastPass users, all that's needed is a malicious site
 
  • Like
Reactions: Niente, DardiM, Cats-4_Owners-2 and 13 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Pretty sure you will need to be logged in. If that it's not the case then this vulnerability it's beyond any control. Will wait for the patch and the info that will follow from Tavis.
 
  • Like
Reactions: Niente, DardiM, frogboy and 3 others
H

hjlbx

Thread author
There has to be the right convergence of circumstances for the LastPass vulnerability to be exploited.

It's security news reports like this that needlessly terrorizes users; they're unhelpful sensationalism that constitute nothing but fear mongering.

Common sense = do not store banking or any financial related website login credentials in ANY password manager.
 
  • Like
Reactions: Niente, Logethica, DardiM and 2 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
hjlbx said:
There has to be the right convergence of circumstances for the LastPass vulnerability to be exploited.

It's security news reports like this that needlessly terrorizes users; they're unhelpful sensationalism that constitute nothing but fear mongering.

Common sense = do not store banking or any financial related website login credentials in ANY password manager.
Click to expand...
...and even if you do, make sure your bank has 2 step authentication of some sort that doesn't rely on it.
 
  • Like
Reactions: Niente, Logethica, DardiM and 1 other person
H

hjlbx

Thread author
SHvFl said:
...and even if you do, make sure your bank has 2 step authentication of some sort that doesn't rely on it.
Click to expand...

Set up with your bank two accounts.

One a savings account with inability to transfer funds to your checking account. All deposits should be made to this savings account.

The other a checking account. Only transfer funds to this account that are sufficient for the transactions and to keep the account open.

Simple enough... just requires an occasional visit to the bank in-person to make the transfer.

I keep a minimal balance in checking and use it for any on-line transactions; savings is block from all access except in-person.

* * * * *

Two-Step Authentication has already been compromised by malc0ders.
 
  • Like
Reactions: Niente, Logethica, DardiM and 4 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
hjlbx said:
Set up with your bank two accounts.

One a savings account with inability to transfer funds to your checking account. All deposits should be made to this savings account.

The other a checking account. Only transfer funds to this account that are sufficient for the transactions and to keep the account open.

Simple enough... just requires an occasional visit to the bank in-person to make the transfer.

I keep a minimal balance in checking and use it for any on-line transactions; savings is block from all access except in-person.

* * * * *

Two-Step Authentication has already been compromised by malc0ders.
Click to expand...
Lol i do the same with the 2 accounts. Don't really trust anything as the only protection step but as you mentioned it has the inconvenience of going to the bank. I live in a small town though so it usually empty and can finish in 15min.
My bank offers 2 step authentication with an sms on your phone. I have it on because maybe it will save me once. You lose nothing by using a feature. Just don't rely on it 100%.
 
  • Like
Reactions: Niente, Logethica, DardiM and 2 others
H

hjlbx

Thread author
SHvFl said:
Lol i do the same with the 2 accounts. Don't really trust anything as the only protection step but as you mentioned it has the inconvenience of going to the bank. I live in a small town though so it usually empty and can finish in 15min.
My bank offers 2 step authentication with an sms on your phone. I have it on because maybe it will save me once. You lose nothing by using a feature. Just don't rely on it 100%.
Click to expand...

Well said...
 
  • Like
Reactions: Logethica, DardiM and Cats-4_Owners-2
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
what about manually adding two or three characters to the stored password?
It could be a standard 3 character add-on for all your sensitive sites, stored in the brain.
I think most of us can remember 3 characters.
 
  • Like
Reactions: Logethica, DardiM, frogboy and 1 other person
H

hjlbx

Thread author
shmu26 said:
what about manually adding two or three characters to the stored password?
It could be a standard 3 character add-on for all your sensitive sites, stored in the brain.
I think most of us can remember 3 characters.
Click to expand...

It will work only if you use LastPass to store the partial password, and then you will have to manually add the 3 characters during login. LastPass won't be able to successfully do auto-logins using this method -- but you already know that.

However, why give a malc0der access to most of the password ? It's insane - with only 3 characters needed to complete the complete password they will crack the entire password using softs designed to do so within a single day - probably only hours or even a few minutes.
 
  • Like
Reactions: Logethica, DardiM and Cats-4_Owners-2
Shran

Shran

Level 5
Verified
Well-known
Jan 19, 2015
230
LastPass Security Updates | The LastPass Blog

Only affect(s/ed) Firefox & has been patched. If you use LastPass on Firefox I recommend going to LastPass - Introducing the New LastPass (Firefox download link) and updating manually just to be sure.
The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon...As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0....The recent report only affects Firefox users...Other browsers are not impacted by this report, and users do not need to take action for other browsers.
Click to expand...
 
  • Like
Reactions: shmu26, Azure, Niente and 5 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Shran said:
LastPass Security Updates | The LastPass Blog

Only affect(s/ed) Firefox & has been patched. If you use LastPass on Firefox I recommend going to LastPass - Introducing the New LastPass (Firefox download link) and updating manually just to be sure.
Click to expand...
And i was right. He found a bypass on Firefox so you first had to use Firefox, you had to be logged in, visit a site with the exploit, don't use 2 step authentication, sacrifice your firstborn, offer your soul to the devil and finally sign the deal with your blood.
Cool that the issue was fixed,in a day, but the panic some sites created it's not justifiable. Bet lots of users removed Lastpass and now use something worse or even stopped using a password manager. Media just want views and the more clickbait the topic is the more money they make.
 
  • Like
Reactions: Ink, Niente, frogboy and 3 others
H

hjlbx

Thread author
SHvFl said:
And i was right. He found a bypass on Firefox so you first had to use Firefox, you had to be logged in, visit a site with the exploit, don't use 2 step authentication, sacrifice your firstborn, offer your soul to the devil and finally sign the deal with your blood.
Cool that the issue was fixed,in a day, but the panic some sites created it's not justifiable. Bet lots of users removed Lastpass and now use something worse or even stopped using a password manager. Media just want views and the more clickbait the topic is the more money they make.
Click to expand...

= sign your life away...

* * * * *

Clickbait is all it is... and while they might be informative, are really nothing more than mental and emotional scare tactics. What a sad, shameful state of affairs...
 
  • Like
Reactions: Logethica, DardiM, Cats-4_Owners-2 and 1 other person
Cats-4_Owners-2

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Comments on this thread are an invaluable resource for practical sensible security! The posts here even got my wife up from her seat (Mission Control in the other room). I am proud to say she's now sold on hjlbx's & SHvFl's safer banking practices! :)
 
  • Like
Reactions: SHvFl, Logethica, DardiM and 1 other person
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

I use a local password manager for years, but none informations saved for online payment or Bank access / transactions.

KTS online protection / virtual keyboard for Bank website & Online payment

Bank :
Login : id entered with virtual keyboard
Password : entered using a special website bank tool : digits from 0 to 9 are put at a random position

Payment:
(1) Paypal => almost every time ( I receive a mail after each transaction)
(2) VISA card (rarely)
after HTTPS and website security verifications :
- I enter the digits with virtual Kaspersky keyboard( not saved)
- sms received from my bank : with a very temporary code
- code entered on a secure edit box linked to my bank, to validate the payment.
- redirected on the online website
 
Last edited:
  • Like
Reactions: SHvFl, frogboy, Cats-4_Owners-2 and 1 other person
Logethica

Logethica

Level 13
Verified
Top Poster
Well-known
Jun 24, 2016
636
DardiM said:
Thanks for the share :)

I use a local password manager for years, but none informations saved for online payment or Bank access / transactions.

KTS online protection / virtual keyboard for Bank website & Online payment

Bank :
Login : id entered with virtual keyboard
Password : entered using a special website bank tool : digits from 0 to 9 are put at a random position

Payment:
(1) Paypal => almost every time ( I receive a mail after each transaction)
(2) VISA card (rarely)
after HTTPS and website security verifications :
- I enter the digits with virtual Kaspersky keyboard( not saved)
- sms received from my bank : with a very temporary code
- code entered on a secure edit box linked to my bank, to validate the payment.
- redirected on the online website
Click to expand...
That's very "Secret Service" of you .....Is the phone that receives the SMS a "burner" that self destructs once the message has been read?;)
I think perhaps that you are a "Directorate General for External Security" employee that masquerades as a bird of the southern hemisphere on computer security forums:D
 
  • Like
Reactions: SHvFl, Cats-4_Owners-2, frogboy and 1 other person
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Logethica said:
That's very "Secret Service" of you .....Is the phone that receives the SMS a "burner" that self destructs once the message has been read?;)
I think perhaps that you are a "Directorate General for External Security" employee that masquerades as a bird of the southern hemisphere on computer security forums:D
Click to expand...
lol :)
Dear @Logethica , You know that I can't confirm all the secrets - er - all the real details - er - I mean all the details ... you wrote :p
[AFK]
[AFK]
Sorry I just received a call and my phone exploded - er - my phone batteries fail ... :oops:

hjlbx said:
LOL... deranged penguin in a funnyman's bat-suit. :D
My man has a sense of humor...
Click to expand...

The most funny => I really make things like I wrote :)
=> the only time I'm serious, You don't see it ...:confused:
 
Last edited:
  • Like
Reactions: Logethica, frogboy and Cats-4_Owners-2
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
    • +Reputation
Millions of Exim mail servers exposed to zero-day RCE attacks
Replies
0
Views
1,548
News Archive
[correlate]
[correlate]
Gandalf_The_Grey
    • Like
Security News New Windows Themes zero-day gets free, unofficial patches
Replies
0
Views
802
Security News
Gandalf_The_Grey
Gandalf_The_Grey
CyberTech
    • Like
    • Wow
Twitter claims leaked data of 200M users not stolen from its systems
Replies
5
Views
914
News Archive
monkeylove
monkeylove

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top