News LastPass, 1Password and other password managers can be hacked: What to do now

Sidebar Sidebar
Status
Not open for further replies.
Haggemano

Haggemano

Estimable
Mar 25, 2020
13
3
4,565
Saying that a password manager is at risk to phishing is really saying that some users are at risk to phishing. It's not something that can be fixed. Users have to be vigilant.

If a password manager fails to fill in a form due to phishing, it won't prevent someone from opening the password manager and copying and pasting credentials after not knowing why the manager failed to do it on its own.

Anybody who tried to steal a password through phishing won't be targeting people who use password managers, but people in general. They will be relying on people reusing credentials across websites, which is something that won't happen to users of password managers.

It's not surprising that it's a low priority. It would be a lot harder to get people to install a rogue Gmail app than to simply try 12345 and seeing if it works.
 
  • Like
Reactions: StuartHalliday
A

aleghart

Distinguished
Dec 5, 2008
1
1
18,515
Why is this being published as "new"? Did anyone from Tom's Guide read the research? The LastPass version was 4.1.60, released July 6, 2017.

The posting date of research is less relevant than what's inside the research.

This is old information, and should be removed. Otherwise, Tom's Guide is causing public panic for the sake of cllick-bait metrics.
 
  • Like
Reactions: StuartHalliday
StuartHalliday

StuartHalliday

Mar 25, 2020
1
0
10
aleghart said:
This is old information, and should be removed. Otherwise, Tom's Guide is causing public panic for the sake of cllick-bait metrics.
Click to expand...
Absolutely.
Seems very Clickbait actually. It's really full of old and redundant information. Needs all that old stuff removed.
 
P

PaulWagenseil

Prominent
Mar 27, 2020
11
0
560
Haggemano said:
Saying that a password manager is at risk to phishing is really saying that some users are at risk to phishing. It's not something that can be fixed. Users have to be vigilant.

If a password manager fails to fill in a form due to phishing, it won't prevent someone from opening the password manager and copying and pasting credentials after not knowing why the manager failed to do it on its own.

Anybody who tried to steal a password through phishing won't be targeting people who use password managers, but people in general. They will be relying on people reusing credentials across websites, which is something that won't happen to users of password managers.

It's not surprising that it's a low priority. It would be a lot harder to get people to install a rogue Gmail app than to simply try 12345 and seeing if it works.
Click to expand...

The real issue is that LastPass and 1Password used only an app's APK name -- eg. com.google.com -- to verify its authenticity. That meant that any app that used the same name could trick the password managers into autofilling the credentials for the real app into the fake app. If it was done properly, the user would not even notice.
 
P

PaulWagenseil

Prominent
Mar 27, 2020
11
0
560
aleghart said:
Why is this being published as "new"? Did anyone from Tom's Guide read the research? The LastPass version was 4.1.60, released July 6, 2017.

The posting date of research is less relevant than what's inside the research.

This is old information, and should be removed. Otherwise, Tom's Guide is causing public panic for the sake of cllick-bait metrics.
Click to expand...

I disagree, obviously. I don't know why the study authors waited so long to publish, but all of the vulnerabilities mentioned have NOT been patched.

Some of this "old" information is unfortunately still very relevant. One vendor is currently patching the flaws mentioned in the study as a result of the study, and this story, being published.

Before we ran the article, I sent each vendor a link to the study, asked each vendor detailed questions about the vulnerabilities mentioned, and gave each one 24 hours to respond with answers about which vulns had been patched, and which hadn't, and if not, why not.

Some of the vendors were very forthcoming and gave detailed answers. Some weren't, but all of them did respond, and their answers all made it into the original version of the story. You can see a point-by-point rundown of each flaw, and what each vendor is doing or has done about it, right in the body of the story.
 
P

PaulWagenseil

Prominent
Mar 27, 2020
11
0
560
aleghart said:
Why is this being published as "new"? Did anyone from Tom's Guide read the research? The LastPass version was 4.1.60, released July 6, 2017.

The posting date of research is less relevant than what's inside the research.

This is old information, and should be removed. Otherwise, Tom's Guide is causing public panic for the sake of cllick-bait metrics.
Click to expand...

Please see my response to the comment above. In short, the publication of this academic study, and our report on it, is making at least one vendor patch the reported vulnerabilities now. Not in 2017, or in 2019, but right now.
 
Status
Not open for further replies.

Similar threads

admin
News Fake LastPass iPhone app scam — what you need to know
Replies
0
Views
438
Article Commentary
admin
admin
admin
Hurry! One of our top password managers is 50% off right now
Replies
0
Views
578
Article Commentary
admin
admin
admin
One of the top password managers we've tested is 60% off — how to get it
Replies
0
Views
569
Article Commentary
admin
admin
admin
Top-rated password manager is 25% off for the holidays
Replies
0
Views
527
Article Commentary
admin
admin
G
Question Choosing a Password Manager
Replies
2
Views
4K
Antivirus / Security / Privacy
Tommy Sawyer
Tommy Sawyer

TRENDING THREADS

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom