Search
Items tagged with: lastpassbreach
I dug out my communication with #LastPass from 2018. I continuously prompted them to update the iteration count for existing accounts, they kept stalling. Originally I wanted to disclose their vulnerabilities only after they fixed this, yet I ended up publishing with the migration still “in progress” according to their claims. As we know now, it likely didn’t even start back then, and they never actually finished this migration. So now many of their users are at a heightened risk in the #LastPassBreach.
I am absolutely flabbergasted at the massive failure that comes to light now. Didn’t want to write any more, but… Well, one more blog post.
https://palant.info/2022/12/28/lastpass-breach-the-significance-of-these-password-iterations/
I am absolutely flabbergasted at the massive failure that comes to light now. Didn’t want to write any more, but… Well, one more blog post.
https://palant.info/2022/12/28/lastpass-breach-the-significance-of-these-password-iterations/
LastPass breach: The significance of these password iterations
The Password Iterations setting is essential to keep users’ data secure. Yet LastPass failed to keep it up-to-date for many accounts.Almost Secure
People wonder why I am always so harsh on #LastPass. Thing is, I’ve been watching them ignore security risks for years. Yes, things that they are being warned about again and again, yet they choose not to address them.
You think unencrypted URLs are bad? Take a look at this seven years old presentation by Martin Vigo and Alberto Garcia Illera: https://www.blackhat.com/docs/eu-15/materials/eu-15-Vigo-Even-The-Lastpass-Will-Be-Stolen-deal-with-it.pdf. Starting with page 69 it explains how the custom_js feature could be abused to extract users’ passwords.
Guess what, this feature is still present and used on PayPal for example. Still no encryption and nothing to protect the users. No change whatsoever in at least seven years that LastPass was made aware of this issue.
Instead, when disclosing #LastPassBreach they again lie that they don’t have access to your passwords. But they do. Anyone with access to their server does. NSA could order them to extract your passwords. Hackers who gain access to their server could abuse this to get your passwords. Or just to run their JavaScript code on any website, and then they don’t even need your passwords.
And that’s only one out of the many documented backdoors that LastPass chooses to ignore, both in terms of implementation and their public communication.
#infosec #ApplicationSecurity
You think unencrypted URLs are bad? Take a look at this seven years old presentation by Martin Vigo and Alberto Garcia Illera: https://www.blackhat.com/docs/eu-15/materials/eu-15-Vigo-Even-The-Lastpass-Will-Be-Stolen-deal-with-it.pdf. Starting with page 69 it explains how the custom_js feature could be abused to extract users’ passwords.
Guess what, this feature is still present and used on PayPal for example. Still no encryption and nothing to protect the users. No change whatsoever in at least seven years that LastPass was made aware of this issue.
Instead, when disclosing #LastPassBreach they again lie that they don’t have access to your passwords. But they do. Anyone with access to their server does. NSA could order them to extract your passwords. Hackers who gain access to their server could abuse this to get your passwords. Or just to run their JavaScript code on any website, and then they don’t even need your passwords.
And that’s only one out of the many documented backdoors that LastPass chooses to ignore, both in terms of implementation and their public communication.
#infosec #ApplicationSecurity