Rich Freeman on 10 Jan 2017 08:23:40 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe


On Tue, Jan 10, 2017 at 11:09 AM, JP Vossen <jp@jpsdomain.org> wrote:
>
> An anonymous reader quotes Bleeping Computer: Browser autofill profiles are
> a reliable phishing vector that allow attackers to collect information from
> users via hidden form fields, which the browser automatically fills with
> preset personal information and which the user unknowingly sends to the
> attacker when he submits a form...

Clever...

>
> I don't know how LastPass or other tools work or if this applies there.

That particular attack wouldn't work on LastPass for the most part, at
least not in its typical use.

Lastpass does fill forms, but it has a separate profile for every
website.  This attack relies on taking information you had provided
for one site and obtaining it on another.  If you visit a random
website and have Lastpass installed, it won't fill anything since it
doesn't know anything about that website.  If you create a profile,
then only the form fields you saved for that particular website would
get sent.

It can actually be a bit of a pain when a website changes their
backend and the login page redirects to a different URL, and suddenly
the form is no longer filled in until you go and edit the profile and
put in the new URL.  However, it is secure and obviously I wouldn't
want it trying to guess and feeding credentials cross-site.

Now, Lastpass CAN store things like credit card details and other
generic form information which can be used across multiple websites.
However, this is typically used only for credit card numbers, and you
usually enter your master password to unlock these profiles for a
short time, and then it prompts you before filling any forms.  Now, if
you did all that then this attack would work, but if you're giving
them your credit card info anyway, the fact that they stuck the
address field in a hidden form element isn't that much more of a
problem.

The attack would work well enough for most people even if they don't
use Lastpass/etc anyway, since browsers love to try to autocomplete
forms.

To take a step back from all of this, a much better solution would be
to move away from passwords entirely.  The fact that you even need all
these tools to manage them just shows their weakness, and it would
make far more sense to move to something based on challenge-response
and not just a shared secret.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug