LastPass produces two apps, the Password Manager and this Authenticator App, which looks like a 2FA competitor to Google Authenticator.
The bug the article is detailing is in the Authenticator application, not the Password Manager application, which wasn't very clear to me on my first read.
Thanks for the clarification. This reveals a couple of other points.
This flaw is that the fingerprint/PIN auth for their TOTP authenticator app can be bypassed by manually launching one of the app's activities. This is a separate auth layer over the phone's screen lock. The first exploit path here is thus that if a malicious user gets access to your unlocked phone, they could install one of these activity opener utilities and access this app's TOTP code screen. That gets them the current TOTP codes, but not the secret for generating them. Note that this is currently the security level that Google's Authenticator app already has.
The other, which I'm a little less clear on, is that a malicious app gets installed somehow, it launches the activity, and manipulates the UI to hit the buttons and read the screen to get your current TOTP codes. I think Android apps' abilities along these lines have changed around several times between Android versions, and I'm not sure which version does what, but I think the current version requires the user to set a special checkbox in settings for an app to be able to do these things. If you can get a user to do that for your malicious app, it can do all sorts of bad things.
In both cases, the attacker would be getting current codes, not the secret, which would still be locked away safely in the app's storage. So while this flaw is kind of bad and should be fixed, it doesn't have me running for the hills, esp. since I don't even use this app.
I think it is mostly inertia and cross-platform support. Before they were acquired, they seemed to care a lot more about security, instead of just security theater.
They also have some nice crypto features: For instance, I forgot my master password, and they have a one time password reset protocol that lets them send you an unlock code that only works on previously logged in devices.
Also, it has rock-solid offsite backup built in.
Moving away has been on my TODO list for a long time.
KeePass is anything but user friendly or convenient - it involves a lot of tinkering and not a lot of people have time, patience, or even know-how for that.
1Password has ignored every other platform other than the fruit company ecosystem for a really long time now.
Bitwarden comes close. OSS, polished, and seemingly with a business model. After checking on Firefox (on Linux), iOS, and Android apps when I wanted to install it on my Mac I found out its Safari extension doesn't exist and the Github issue is clear that they will not be working on that anytime soon [0]. Also, I read a reddit comment that there is only one full time developer and this was just few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management while I want to pay for it.
LastPass is everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture/design and yes the reason for its popularity is indeed ease of use with acceptable security for the most. I have really tried all other apps out there and for some reason or the other I keep coming back to LastPass.
KeePass is anything but user friendly or convenient - it involves a lot of tinkering and not a lot of people have time, patience, or even know-how for that. It has never been and I don't see that happening in near future. In comparison LastPass is "sign up once, use everywhere".
1Password royally ignored every other platform other than the fruit company ecosystem for a really long time.
See, I am not speaking as a fanboy, I am not one. Just a satisfied user - I have really tried all other apps out there and for some reason or the other I kept coming back to LastPass.
Bitwarden came close to make me switch. OSS, polished, and seemingly with a business model. After checking on Elementary Firefox, iOS, Android apps when I went find its Safari extension (that's where I do my personal browsing) - it didn't exist, it still doesn't and the Github issue is clear that they will not be working on that [0] anytime soon. Also, I read a reddit comment that there was only one full time developer and this was few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management.
LastPass - it's not really entirely browser based, it's actually available everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture designed and yes it is ease of use with acceptable security for the most.
1. It's not easy to have all the integrations necessary to make this product
2. There ultimately doesn't appear to be that much money in it compared to other businesses
3. The least secure password manager is more willing to do the unsafe thing that is a killer feature that users want.
They're owned by Citrix so they have automatic credibility.
In this case, the name is important too. It's easy to remember and it explains the product as well. The only alternative with a better name is 1password
The code, tech, and mindset behind LastPass is a joke. They started just after the “dark ages” of security but don’t seem to have upgraded their mental model of security since. I’ll share with you the moment I discovered something that made me cancel my schedule for the day, research alternatives, write a LastPass to 1Password converter [0], and cancel my LastPass account and subscription.
Are you ready?
You log in to their support forums and online community with the same password you decrypt your vault with.
To answer some of the comments, since understandably not everyone is a security expert:
What happens if LastPass’s web forum is compromised and all their additional security counts for nothing?
Even if not: you have no problem with people being conditioned to enter the password securing all their passwords repeatedly into random pages for random content not related in any way, shape, or form to their vault in a web browser?
Containment is the name of the game. It’s hard enough making one app secure enough to enter your password into. Then extending that with an SSO, relying on The security of none other than notoriously crappy phpBB, vulnerable to upstream code injections, XSS, phishing attacks, and god knows what else, and you still think you can trust them to keep your master password secure?
LastPass is such a juicy target and this is such an easy attack vector that I can virtually guarantee at some point phpBB - or, more accurately, their abuse of it - will be a massive liability and the source of a huge catastrophe for them, if it hasn’t secretly already.
Of course they know to treat changes to their authentication apps very carefully and code review each and every syllable added or removed (well, I hope so). But do they review upstream patches to the forum software they use? What about the third party template they have installed? Do they hold off on patches after a security bug is discovered in phpBB so they can review the code changes? Do they even upgrade their forums? What about a vulnerability in PHP itself? Do they secure the server hosting their authentication apps in the same manner as the server hosting their forums? Do their web developers undergo the same background checks and scrutiny their core developers undergo? How many sysadmins have access to the website? Do they provide the same access monitoring to people managing an ancillary feature like their forum software?
The list just goes on forever. You’re as secure as the weakest link. All anyone that want to break into LastPass has to do is get some code into phpBB or the random phpBB themes and plugins they use and it’s game over for millions of LP users and billions of credentials worldwide.
My biggest gripe/concern with LastPass Enterprise (we use it) is that sharing/access control _never_ works properly.
Every time we bring someone on and try to share folders or credentials with them, we end up needing a multi-hour support ticket to get everything resolved correctly.
This shouldn't happen. It raises big alarms for me.
Electronic password managers never made sense to me. While you can do more to secure a single target, it is a more valuable target and one mistake costs you all your passwords. For me a physical password journal is best. While it does make you vulnerable to physical attackers, the cost invest to target someone physically is so much higher that if I have to deal with that threat level I'm already a goner. Just have to hide it from the kids.
Couple of days ago they sent an newsletter email to all their subscribers telling something about "enterprise accounts". Anyway, they sent that to everyone, when obviously they meant to send to their enterprise customers.
In that moment I realised that I still had an active subscription with them and cancelled promptly.
As it happens, I switched from Google Authenticator to LastPass Authenticator a few days ago. The app has a feature that allows you to require a PIN or fingerprint in order to use it. That feature is disabled by default. (Note that Google Authenticator has no such feature.) As I understand it, this attack allows someone with access to my unlocked phone to install a activity launcher app and then generate 2FA codes without supplying a PIN or fingerprint. Actually, for my phone they wouldn't need to bother with the launcher app, because I didn't enable the additional fingerprint/PIN feature--it seems to reduce convenience while adding little security.
Still, it's definitely a bug. They should either fix it or remove the feature so people aren't misled into thinking their two-factor codes are secure when they're not.
LineageOS users can enable Privacy Guard to protect google authenticator, which requires device credentials (pattern, finger etc.) to start app. Also don't put it on your homescreen
I'm very confused about how bad this is, the article seems unclear. Does it allow malicious apps steal the OTA codes? Does it allow malicious apps to steal the keys used to generate the OTA codes? Does it allow a user to see the keys? Is it none of the above?
All I get from the article is that the user might be able to see the OTA codes in a roundabout way. If that's the entire problem, why is it a problem?
It is difficult to understand, but it seems like the app normally has some sort of PIN protection in order to open it. This is apparently a bypass method for that protection.
Maybe I am misunderstanding, but it really does not seem like much of a big deal, as someone would need to have your phone in hand as well as your lock screen passcode.
The title seems pretty dishonest, if my interpretation of this issue is correct.
So the moral of the story is don't let people install applications on your Android device? And the bigger moral is: don't hand someone your unlocked Android device and let them play with it for an extended period of time?
This "problem" has precisely nothing to do with open source vs closed source. "Tell me the list of activities that are public" and "tell me the name of each activity as I launch it" are babies-first-app-analysis level and work equally well on open and closed source apps.
Are we really concerned about an exploit that requires somebody to have unlocked access to your phone?
The worrying bit is LastPass' inaction since July 2017, when they were notified of the issue. For a product whose aim is to secure your credentials, this is a lax attitude to security
zupzupper|8 years ago
The bug the article is detailing is in the Authenticator application, not the Password Manager application, which wasn't very clear to me on my first read.
ufmace|8 years ago
This flaw is that the fingerprint/PIN auth for their TOTP authenticator app can be bypassed by manually launching one of the app's activities. This is a separate auth layer over the phone's screen lock. The first exploit path here is thus that if a malicious user gets access to your unlocked phone, they could install one of these activity opener utilities and access this app's TOTP code screen. That gets them the current TOTP codes, but not the secret for generating them. Note that this is currently the security level that Google's Authenticator app already has.
The other, which I'm a little less clear on, is that a malicious app gets installed somehow, it launches the activity, and manipulates the UI to hit the buttons and read the screen to get your current TOTP codes. I think Android apps' abilities along these lines have changed around several times between Android versions, and I'm not sure which version does what, but I think the current version requires the user to set a special checkbox in settings for an app to be able to do these things. If you can get a user to do that for your malicious app, it can do all sorts of bad things.
In both cases, the attacker would be getting current codes, not the secret, which would still be locked away safely in the app's storage. So while this flaw is kind of bad and should be fixed, it doesn't have me running for the hills, esp. since I don't even use this app.
banachtarski|8 years ago
dzhiurgis|8 years ago
https://news.ycombinator.com/item?id=15756044
This was just over a month ago, and published only here.
slumberlust|8 years ago
darrmit|8 years ago
So many better designed, more secure options out there. KeePass, Bitwarden, or 1Password to name a few.
hedora|8 years ago
They also have some nice crypto features: For instance, I forgot my master password, and they have a one time password reset protocol that lets them send you an unlock code that only works on previously logged in devices.
Also, it has rock-solid offsite backup built in.
Moving away has been on my TODO list for a long time.
balladeer|8 years ago
1Password has ignored every other platform other than the fruit company ecosystem for a really long time now.
Bitwarden comes close. OSS, polished, and seemingly with a business model. After checking on Firefox (on Linux), iOS, and Android apps when I wanted to install it on my Mac I found out its Safari extension doesn't exist and the Github issue is clear that they will not be working on that anytime soon [0]. Also, I read a reddit comment that there is only one full time developer and this was just few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management while I want to pay for it.
LastPass is everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture/design and yes the reason for its popularity is indeed ease of use with acceptable security for the most. I have really tried all other apps out there and for some reason or the other I keep coming back to LastPass.
[0] https://github.com/bitwarden/browser/issues/17
[1] https://www.reddit.com/r/Bitwarden/comments/7htswv/how_many_...
balladeer|8 years ago
1Password royally ignored every other platform other than the fruit company ecosystem for a really long time.
See, I am not speaking as a fanboy, I am not one. Just a satisfied user - I have really tried all other apps out there and for some reason or the other I kept coming back to LastPass.
Bitwarden came close to make me switch. OSS, polished, and seemingly with a business model. After checking on Elementary Firefox, iOS, Android apps when I went find its Safari extension (that's where I do my personal browsing) - it didn't exist, it still doesn't and the Github issue is clear that they will not be working on that [0] anytime soon. Also, I read a reddit comment that there was only one full time developer and this was few weeks ago[1]. Now I know it's an open source project but I want to use a service that is really ready to be used for my password management.
LastPass - it's not really entirely browser based, it's actually available everywhere - Windows, Linux, Mac, Chrome, Ff, Safari, IE, iOS, Android. You name it. And it has been on these various platforms since long. Sync, client side encryption, easy import from other apps, good extensions, decent support ticket TATs (even for free accounts), continuous development (however I must add that they have started to add bloat and useless gloss after the sale) - have really been consistent. This is what makes it a favourite option.
So when you say "better designed" I assume you mean better security architecture designed and yes it is ease of use with acceptable security for the most.
[0] https://github.com/bitwarden/browser/issues/17
[1] https://www.reddit.com/r/Bitwarden/comments/7htswv/how_many_...
yegle|8 years ago
I'm hoping the Autofill API in Android Oreo can bring more competition.
rbjorklin|8 years ago
SubiculumCode|8 years ago
nathanvanfleet|8 years ago
busterarm|8 years ago
Surely you're joking.
chaostheory|8 years ago
In this case, the name is important too. It's easy to remember and it explains the product as well. The only alternative with a better name is 1password
misterbowfinger|8 years ago
sp332|8 years ago
ComputerGuru|8 years ago
Are you ready?
You log in to their support forums and online community with the same password you decrypt your vault with.
[0]: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...
EDIT:
To answer some of the comments, since understandably not everyone is a security expert:
What happens if LastPass’s web forum is compromised and all their additional security counts for nothing?
Even if not: you have no problem with people being conditioned to enter the password securing all their passwords repeatedly into random pages for random content not related in any way, shape, or form to their vault in a web browser?
Containment is the name of the game. It’s hard enough making one app secure enough to enter your password into. Then extending that with an SSO, relying on The security of none other than notoriously crappy phpBB, vulnerable to upstream code injections, XSS, phishing attacks, and god knows what else, and you still think you can trust them to keep your master password secure?
LastPass is such a juicy target and this is such an easy attack vector that I can virtually guarantee at some point phpBB - or, more accurately, their abuse of it - will be a massive liability and the source of a huge catastrophe for them, if it hasn’t secretly already.
Of course they know to treat changes to their authentication apps very carefully and code review each and every syllable added or removed (well, I hope so). But do they review upstream patches to the forum software they use? What about the third party template they have installed? Do they hold off on patches after a security bug is discovered in phpBB so they can review the code changes? Do they even upgrade their forums? What about a vulnerability in PHP itself? Do they secure the server hosting their authentication apps in the same manner as the server hosting their forums? Do their web developers undergo the same background checks and scrutiny their core developers undergo? How many sysadmins have access to the website? Do they provide the same access monitoring to people managing an ancillary feature like their forum software?
The list just goes on forever. You’re as secure as the weakest link. All anyone that want to break into LastPass has to do is get some code into phpBB or the random phpBB themes and plugins they use and it’s game over for millions of LP users and billions of credentials worldwide.
See the problem?
busterarm|8 years ago
Every time we bring someone on and try to share folders or credentials with them, we end up needing a multi-hour support ticket to get everything resolved correctly.
This shouldn't happen. It raises big alarms for me.
BearGoesChirp|8 years ago
slig|8 years ago
In that moment I realised that I still had an active subscription with them and cancelled promptly.
gruez|8 years ago
what's the issue with that? maybe they have some SSO system
mickronome|8 years ago
I trust you to be right, but that's so incredibly stupid it's hard to believe someone selling a password manager would do that!
scarhill|8 years ago
Still, it's definitely a bug. They should either fix it or remove the feature so people aren't misled into thinking their two-factor codes are secure when they're not.
chocolatkey|8 years ago
ilyagr|8 years ago
All I get from the article is that the user might be able to see the OTA codes in a roundabout way. If that's the entire problem, why is it a problem?
willstrafach|8 years ago
Maybe I am misunderstanding, but it really does not seem like much of a big deal, as someone would need to have your phone in hand as well as your lock screen passcode.
The title seems pretty dishonest, if my interpretation of this issue is correct.
zwerdlds|8 years ago
But no follow-up via email? Maybe it's time to start looking at other options.
exabrial|8 years ago
strictnein|8 years ago
willstrafach|8 years ago
david-cako|8 years ago
I will never trust my passwords all being in one place other than my brain.
BoorishBears|8 years ago
UncleMeat|8 years ago
Are we really concerned about an exploit that requires somebody to have unlocked access to your phone?
mankash666|8 years ago
pixelpp|8 years ago
[deleted]