Password management site plugs info-leak bug

View previous topic View next topic Go down

Password management site plugs info-leak bug

Post by p2u on 3/3/2011, 11:30

Anybody here using one of those super-convenient password manager plug-ins of any kind? I'd say: don't. See what happened recently to LastPass: Password management site plugs info-leak bug (or: "LastPass covers ass").
P.S.: Although the security hole only created a means to extract the email addresses (+ info on sites associated with the LastPass account + a list of IP addresses used to access the site), and not the passwords themselves, we will see more of this in the future, presumably with more serious consequences...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Password management site plugs info-leak bug

Post by ssj100 on 3/3/2011, 12:08

I've never used anything like this, but never could give a good reason. It just didn't feel right to use something like that. Now it feels even less right haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Password management site plugs info-leak bug

Post by p2u on 3/3/2011, 12:10

As far as I understand, all info for LastPass is saved "in-the-cloud". The moment you allow that to happen, you give up control...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Password management site plugs info-leak bug

Post by blues on 3/3/2011, 21:26

I could never understand the appeal of those apps (from a security point of view).

Anyone using such an app or storing passwords in their browser is just inviting trouble imho.

Totally agree that we will see more issues with these programs as we go forward.

blues
Member
Member

Posts : 42
Join date : 2010-11-25

View user profile

Back to top Go down

Re: Password management site plugs info-leak bug

Post by Senraeth on 3/3/2011, 22:35

I wouldn't be so quick to rule out the usefulness of such utilities. IMO, they promote good password habits, which most people are severely lacking in. No matter how good your host system security is, if you are using the same (probably weak) password for some random forum (this site, wilders, etc) as for your sensitive accounts (banks and such) and the less secure site's database is compromised, then all of your logins are at risk. Similarly, even if if you are separating your passwords, using a short and easy to remember password that can be quickly cracked by a determined hacker can be just as bad. LastPass and other password managers make it easy for the average (or advanced) user to use strong and different passwords for every account, and provided that they use a sufficiently complex single master password, it can increase their overall security IMHO.

Also keep in mind that this particular vulnerability was not able to reveal any actual passwords as far as anyone has reported and was fixed in a very timely and professional manner. I personally think that the service is pretty good and am confident in the cloud storage, but perhaps the bigger issue here is the way that many users use (and are typically encouraged to use) the product. This goes back to ssj's running theme of security approach. The vulnerability here was a cross site scripting attack which took advantage of an already established and authenticated session (sounds more like CSRF?) with the LastPass site. So in order for an attack to occur in practice, a user would have had to be already logged in to the service and then visit a malicious page or link. IMHO, this is a bad security approach in general that can apply to any site or service and you should not be logged in to anything important while visiting potentially untrusted sites. The same thing could happen to you if you log in to your bank and then start visiting random sites while keeping the session open if an XSS vulnerability were discovered in the site (and vulnerabilities will be found in any site/service created by humans eventually imo). Granted it is much easier to do this for a bank and reduces the convenience of the password manager, but it is the safest approach nonetheless. I would also encourage anyone using LastPass to make a separate account for sensitive logins vs everyday logins, but that is going a bit off-topic.

Anyway, I guess I just wanted to say that I think password management is a pretty annoying problem for most people and I believe LastPass is a step in the right direction and that as with all things security, it is the approach you take when using it that is just as if not more important than what you are actually using. Feel free to disagree with me, and keep up all the great posts around here.

Senraeth
New Member
New Member

Posts : 2
Join date : 2010-07-30

View user profile

Back to top Go down

Re: Password management site plugs info-leak bug

Post by p2u on 3/3/2011, 23:37

Senraeth wrote:I think password management is a pretty annoying problem for most people and I believe LastPass is a step in the right direction
It is certainly a lot better than the in-built password managers in our browsers. I remember in 2008 there was this Password Manager test by Chapin Information Services, which revealed terrible weaknesses. The test site was quickly removed from the face of the earth.
The main lessons were:
1) The destination where passwords are sent is not checked.
2) The location where passwords are requested is not checked.
3) Invisible form elements can trigger password management.
The site cannot be found anymore, not even through Google cache, but here's a report from zdnet.com at that time:
http://www.zdnet.com/blog/security/major-web-browsers-fail-password-protection-tests/2305
Opera and Firefox were the "best" with 7/21. With my crazy paranoid settings I managed 13/21: imagepost.ru/?v=709/152183a6d183.jpg
The lesson I personally learned from this: passwords should best be kept in one's head, however inconvenient.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Password management site plugs info-leak bug

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum