Lastpass for assholes. Critical bugs have been identified in the LastPass password manager, extensions for Chrome and Firefox. Adding personal information
Back in the summer of 2016, Google Project Zero specialist Tavis Ormandy sincerely said: “Do people really use this LastPass thing?” Then Ormandy discovered a vulnerability in the code of the LastPass add-on for Firefox 0-day, which made it possible to remotely compromise all user passwords.
Now, almost a year later, the expert has once again decided to put LastPass's security to the test, and, unfortunately, the application cannot be said to have passed the test. Ormandy writes that he discovered a problem in the official LastPass extension for the Chrome browser. According to the researcher, the extension's content_scrip contains a vulnerability that, if attacked, could lead to the compromise of all credentials stored in the application. Moreover, to carry out an attack, the attacker only needs to lure the user to a malicious site.
The researcher explains that the script is only used to access a specific domain on lastpass.com, and if you take a closer look at how it works, it looks like this:
Here, as Ormandy notes, lies the mistake. The script proxies unauthenticated window messages to the extension, which can be dangerous because anyone can do the following:
This will give the attacker full access and force LastPass to execute RPC commands, of which there can be hundreds, but the most dangerous, of course, is the ability to copy and fill passwords. In some cases, this can even lead to the execution of arbitrary code on the user's machine, through the exploitation of openattach. As an example, Ormandy demonstrates running a regular calculator (calc.exe).
LasPass developers, apparently, have already fixed the problem in the Chrome extension by disabling 1min-ui-prod.service.lastpass.com. However, some users note that the server is still running for them, and the vulnerability is still relevant. Users of LastPass for Chrome should probably disable the extension for now and wait for a full patch to be released, as version 4.1.42, dated March 14, 2017, was still vulnerable.
It is worth noting that last week Tavis Ormandy found another very similar bug in the LastPass add-on for Firefox. The vulnerability also allows you to extract all user passwords if he visits a malicious site.
This problem has not yet been fixed. The LastPass developers have already prepared a patch, but the corrected version 3.3.2 is still being reviewed by Mozilla specialists. The LastPass authors also emphasized that the 3.x branch is still considered obsolete, and users are recommended to switch to the more secure 4.x branch.
But LastPass's problems don't end there. Today, March 22, 2017, Tavis Ormandy warned that the LastPass add-on for Firefox contains another bug that allows you to steal other people's passwords for any domain. Moreover, this time the more modern and secure version 4.1.35 is vulnerable. The expert promises to publish the details in the near future.
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud
For a long time I used the Roboform program to store my passwords for sites and fill out web forms for registration on various sites (I was happy with everything about it, except for the fact that it was paid).
But somehow I got tired of constantly, before reinstalling the operating system, first saving the folder of the specified program, which is responsible for storing information with logins and passwords for my sites.
Then, after reinstallation, look for a new version again and carry out manipulations with replacing files and folders. And then the unexpected happened: after the operating system failed, I lost access to all data.
I don’t consider myself a specialist in recovering information from a hard drive, so I didn’t restore anything, but set myself 2 tasks: 1 - find a free and reliable password manager; 2- have access to all your passwords and logins from any place where there is an Internet connection.
While searching for an alternative password manager, I found an add-on for browsers (Firefox, Google Chrome, Opera) called LastPass Password Manager with all the functions that I need (remembering logins and passwords, filling out web forms, a password generator) and I don’t have to pay for these functions.
Plus, the data is stored in encrypted form, to which only you have access. The addition has shown excellent performance for more than six months. Let's do the installation using the Firefox Internet browser as an example.
After installation, restart the browser by clicking the “Restart now” link.
The browser is restarted and a window appears with the beginning of the LastPass setup procedure, where the first thing we need is to select a language and click the “Create an account” button.
In the next window, enter your current email address, the most important master password (you must remember it or write it down somewhere if you are forgetful. We will need it to gain access to all our passwords and the manager’s control panel.
We create a password reminder (optional), and be sure to check the box “I have read and agree to the Terms of Use.” Next, check the box “I understand that my encrypted data will be sent to LastPass.” Select the remaining items as desired and click on “Create an account.”
We read the extremely important information, enter your main master password again and click “Create an account.”
We import or not (optional) our logins and passwords from other storages of confidential information on the computer and click on the “Continue” button.
You can immediately set up information for filling out web forms.
At the last step, we accept Congratulations on the successful installation and click on the “Continue” button.
PASSWORD MANAGER
We are automatically taken to the online storage of your account.
A branded manager button with the functions we need appears in the right corner of the browser.
To make using a password manager as convenient as possible, I would recommend going to settings and unchecking the “Use compact toolbar” checkbox.
We will have a convenient control panel on top of the entire line in the browser. Now, when you enter your username and password on any website, LastPass will prompt you to save the information.
Now you can access any website you need using the website name drop-down list in the manager's top control panel.
A convenient feature is to import all logins and passwords from various popular managers.
Worth mentioning is the highly customizable password generator.
Now, after reinstalling the operating system, be it Windows or Linux, you just need to install the LastPass Password Manager add-on and all your confidential data is back with you.
In conclusion, I will say that in the Google Chrome browser, its version for some reason has fewer settings (in particular, I did not find how to disable the compact toolbar to display the manager in the entire browser line). I will also mention that this password manager has not been tested in Opere.
About upcoming significant changes to the Firefox add-ons system. To ensure cross-browser compatibility, the developers of Firefox and other browsers have adopted a common API called WebExtensions. Supporting a common API will help reduce the cost of cross-platform development for companies like ours that have to produce and support extensions for multiple browsers. While migrating to WebExtensions provides a number of benefits for developers, browsers, and users, we want to prepare LastPass users for the transition from the previous Firefox add-on to the new one.
We've been supporting two versions of LastPass for Firefox for over a year now. The stable version 3.x is published on the Firefox Extension Store, and the in-development version 4.x is published on the LastPass.com website.
While this created some confusion for LastPass users, we maintained the "legacy" version to maintain the Firefox-like user experience that our users preferred. In the meantime, we continued to develop version 4.x in accordance with the changes that Mozilla implements. But with the recent news that Mozilla will be moving entirely to WebExtensions by the end of 2017, we have to say goodbye to LastPass version 3.x for Firefox.
We will release the newest version of the add-on on March 31, 2017. The latest version of the add-on is expected to be rolled out to all users of version 3.3.2 within a few days after review by Mozilla. You can manually update the Firefox add-on now or wait for the automatic update in April. After this, only version 4.x will be available on both addons.mozilla.org and LastPass.com. For Firefox add-on users version 3.x, this update brings all the latest improvements we've made to the core logic and performance of LastPass, as well as the latest user interface. Based on user feedback, we also recommend checking out the tile and list views in the 4.x interface to see which view is best for you.
LastPass 3.x Interface
LastPass 4.x Interface
In addition to implementing the changes made by Mozilla, we believe that the new version of our Firefox add-on is overall much easier to use. We know that change is not always pleasant. We're listening to your feedback and making thoughtful, informed changes while unifying the LastPass experience across all browsers and platforms.
Of course, upgrading to a new version of the add-on will not affect your LastPass account or any data in your storage. You will still have full access to your account at any time from any browser and device.
As always, you can contact our support team if you have any questions or concerns regarding this transition.
The first and simplest option is the standard password manager of Chrome, Firefox, Opera or Vivaldi. Almost all modern browsers can save and automatically insert logins and passwords into the required fields. Yes, this option cannot be called very functional, since it lacks some additional features such as a generator of reliable combinations and protected notes. But you can use it completely free, and there is synchronization between different devices, which works, of course, only if you use the same browser everywhere.
Simplicity, accessibility, free. Synchronization between different devices.
− Low functionality and security.1Password
1Password has been around for over eight years, but has always been overshadowed by LastPass due to its fairly high cost. It can store passwords, bank card data, software licenses and other confidential information in a secure virtual storage. This storage can be located on a remote server or a local device. It is possible to synchronize via Wi-Fi, Apple iCloud or Dropbox. The developers paid special attention to security and encryption algorithms, thanks to which this service was not noticed in high-profile scandals.
Reliability, cross-platform, functionality, synchronization.
− High price.KeepPass
If you are looking for a free solution and are not afraid of difficulties, then be sure to try KeePass. This is a completely open source project created by independent developers. It has a huge number of possibilities thanks to the presence of a whole arsenal of various add-ons, plugins and auxiliary utilities. However, in return, you will have to come to terms with the typical disadvantages of free software in the form of high complexity of development and instability of some elements.
The password database created in KeePass is stored in the form of a single file, which can be placed on your hard drive or in some cloud service. In the latter case, you can implement data synchronization between different devices. There are plugins for popular browsers that, with varying degrees of success, provide substitution of logins and passwords on the desired pages. In addition, KeePass is also available on mobile devices.
Free, functional, secure.
− A solution for geeks who can select and correctly configure all the necessary components.Dashlane
This password storage service appeared relatively recently, but has already proven itself on the positive side. Dashlane has a nice appearance, good functionality and ease of use. The password database is stored in the cloud in encrypted form, and there is synchronization between clients for different platforms (Mac, PC, iOS and Android). Among the additional features, it is necessary to highlight the function of automatically filling out forms, a password generator, the ability to change passwords in one click, and convenient tools for online shopping. But all this splendor may fade for you if you want to use data synchronization between different devices. To do this, you will have to buy an annual subscription costing $39.99, which, you see, is quite a lot.
Appearance, reliability, cross-platform, digital wallet.
− High cost, lack of local password storage.Which password manager will you choose if LastPass does become paid?
