[Cryptography] LastPass Broken (and Fixed)

Kent Borg kentborg at borg.org
Wed Jul 27 10:18:09 EDT 2016


https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

I seem to remember saying something recently about how users are going 
to be dismayed when these password managers start blowing up in their 
faces...

It looks like an autofill browser feature in Lastpass could be tricked 
into autofilling all your passwords to a malicious web page.

Why would anyone sensible think such a tight integration with malicious 
code could ever be secure? Okay, so this one has been fixed. This one...

There is no way to build a secure system if you don't pay attention to 
the system boundaries. And a password manager that blends its boundaries 
with every website you ever visit is asking for trouble. But it's 
convenient, and convenience sells.

-kb, the Kent who is busily studying for a Google interview; so if you 
want to hire him better move fast: 
http://www.borg.org/~kentborg/kentborg-resume-long-2016-07-16.pdf


More information about the cryptography mailing list