top | item 32600893

(no title)

Hmm, even though LastPass doesn’t have access to your pass, couldn’t a malicious software update cause attacker to view your passwords when it runs since the software ultimately has access?

This doesn’t seem to be the case in this incident though.

discuss

g_p|3 years ago

Yes, absolutely - a compromised development environment might be the first step towards getting implanted code into shipping software, or getting to a signing environment (hopefully highly isolated, but you never know!), with a view to carrying out a supply chain attack.

That's basically what happened in the solarwinds compromise.

woojoo666|3 years ago

Yes it's possible that attackers could release a malicious client-side update but it would be immediately noticed and an alarm would be raised. Also I believe lastpass's client-side apps are open source, making it even more obvious when something is changed

jiveturkey|3 years ago

I think you are referring to a malicious client software update. It doesn't even have to be that, since a common way to use LP is just over the web.

NoPicklez|3 years ago

The software has access, but only using your master password which is also encrypted much like the passwords you have within the app.

So unlikely.