sungo_enothereApr 21, 2017

"Lastpass is storing the 2FA secret seed under a URL that can be derived from your password. This literally beats the entire purpose of 2FA which, as mentioned above, is a layer of security to prevent attackers already in possession of the password from logging in"

http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/

Show threadsungo_enothereApr 21, 2017

"Lastpass serves the QR code as a pure image file. The attacker can set an “img” tag on his domain with the “src” property pointing to the 2FA URL. The image will load under the attacker’s domain context without any SOP limitations."

http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/

Show threadMunin, Keeper of Lore
@sungo oh for crying out loud
Apr 21, 2017 at 12:19amWeb
Show threadsungo_enothereApr 21, 2017
@munin Combine this with the issues from last month and LastPass has become a hard fail.