People wonder why I am always so harsh on #LastPass. Thing is, I’ve been watching them ignore security risks for years. Yes, things that they are being warned about again and again, yet they choose not to address them.
You think unencrypted URLs are bad? Take a look at this seven years old presentation by Martin Vigo and Alberto Garcia Illera: blackhat.com/docs/eu-15/materi…. Starting with page 69 it explains how the custom_js feature could be abused to extract users’ passwords.
Guess what, this feature is still present and used on PayPal for example. Still no encryption and nothing to protect the users. No change whatsoever in at least seven years that LastPass was made aware of this issue.
Instead, when disclosing #LastPassBreach they again lie that they don’t have access to your passwords. But they do. Anyone with access to their server does. NSA could order them to extract your passwords. Hackers who gain access to their server could abuse this to get your passwords. Or just to run their JavaScript code on any website, and then they don’t even need your passwords.
And that’s only one out of the many documented backdoors that LastPass chooses to ignore, both in terms of implementation and their public communication.