| Rich Freeman on 10 Jan 2017 08:23:40 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Lastpass - friend of foe |
On Tue, Jan 10, 2017 at 11:09 AM, JP Vossen <jp@jpsdomain.org> wrote: > > An anonymous reader quotes Bleeping Computer: Browser autofill profiles are > a reliable phishing vector that allow attackers to collect information from > users via hidden form fields, which the browser automatically fills with > preset personal information and which the user unknowingly sends to the > attacker when he submits a form... Clever... > > I don't know how LastPass or other tools work or if this applies there. That particular attack wouldn't work on LastPass for the most part, at least not in its typical use. Lastpass does fill forms, but it has a separate profile for every website. This attack relies on taking information you had provided for one site and obtaining it on another. If you visit a random website and have Lastpass installed, it won't fill anything since it doesn't know anything about that website. If you create a profile, then only the form fields you saved for that particular website would get sent. It can actually be a bit of a pain when a website changes their backend and the login page redirects to a different URL, and suddenly the form is no longer filled in until you go and edit the profile and put in the new URL. However, it is secure and obviously I wouldn't want it trying to guess and feeding credentials cross-site. Now, Lastpass CAN store things like credit card details and other generic form information which can be used across multiple websites. However, this is typically used only for credit card numbers, and you usually enter your master password to unlock these profiles for a short time, and then it prompts you before filling any forms. Now, if you did all that then this attack would work, but if you're giving them your credit card info anyway, the fact that they stuck the address field in a hidden form element isn't that much more of a problem. The attack would work well enough for most people even if they don't use Lastpass/etc anyway, since browsers love to try to autocomplete forms. To take a step back from all of this, a much better solution would be to move away from passwords entirely. The fact that you even need all these tools to manage them just shows their weakness, and it would make far more sense to move to something based on challenge-response and not just a shared secret. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug