sungo_enothere

"Lastpass is storing the 2FA secret seed under a URL that can be derived from your password. This literally beats the entire purpose of 2FA which, as mentioned above, is a layer of security to prevent attackers already in possession of the password from logging in"

http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/

Apr 21, 2017 at 12:18amWeb
Show threadsungo_enothereApr 21, 2017

"Lastpass serves the QR code as a pure image file. The attacker can set an “img” tag on his domain with the “src” property pointing to the 2FA URL. The image will load under the attacker’s domain context without any SOP limitations."

http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/

Show threadMunin, Keeper of LoreApr 21, 2017
@sungo oh for crying out loud
Show threadsungo_enothereApr 21, 2017
@munin Combine this with the issues from last month and LastPass has become a hard fail.
Show threadJJGApr 21, 2017
@sungo lulz
Show threadLes OrchardApr 21, 2017
@sungo shit balls. I need to dump last pass don't i
Show threadsungo_enothereApr 21, 2017
@lmorchard Yes.
Show threadsungo_enothereApr 21, 2017
@lmorchard They've had a ton of reported vulnerabilities in the last month or so. To their credit, they've responded quickly and patched quickly. But still
Show threadDavid WheelerApr 21, 2017
@sungo JFC. So glad I use 1Password.
Show threadShellkrApr 21, 2017
@theory @sungo 1Password is not Open Source and should thus not be trusted...
Show threadShellkrApr 21, 2017
@sungo I use Pass (passwordstore.org) which kinda excellent for it's simplicity. It use GnuPG and Git. Which means it is pretty much the most portable password manager out there. Another + is that it doesn't use a database (Keepass) but decrypt only the password you need.