64May 8, 2023
It takes two posts to list all the third-party code injected into the LastPass homepage. Yes, the same-origin policy is protecting you… It should be safe, but it’s not a good look.

RE: https://fosstodon.org/users/proactiveservices/statuses/110312891596538301
Adam Piggott (@[email protected])

@[email protected] holy shit. from the homepage alone: akstat.io mtkoresp.com (>6s response time) smooch.io doubleclick.net (historical malware pusher) amazon-adsystem.com adservice.google.com (historical malware pusher) twitter.com (Nazi platform) msecnd.net (histoical malware pusher) 6sc.co khoros.com (remote code execution, slow response time) contentsquare.net go-mpulse.net lmiutil.net (remote code execution) trustarc.com (remote code execution) truste.com (remote code execution) ...

Fosstodon
Show threadDuncanWatson
@64 There is at least one person on my security team who seems to take all LastPass Press Releases at face value and as authoritative. sigh
May 8, 2023 at 9:52pmWeb