Logos wrote:... I guess - if we don't take LP recent fixes into account - people using FF NoScript on any FF version or simply using FF4 (CSP implementation https://wiki.mozilla.org/Security/CSP/Specification ) are protected.
Logos wrote:ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.
Giorgio Maone wrote:Logos wrote:ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.
Not sure about it, where did you read this?
AFAIK, the LastPass add-on keeps an authenticated session with the website, acting as a logged-in user.
If it works this way (very likely), a XSS attack can impersonate you anyway, even if you don't visit the LastPass web site, because any HTTP request sends the authentication tokens.
LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on
Logos wrote:When I do that, ie go to my account on last pass site, I'm already logged in.
Logos wrote:Also, what happens if I never log off?
Logos wrote:ps: also, did you read this... http://blog.lastpass.com/2011/02/cross- ... ility.html
Perhaps it's just inherently dangerous to outsource your password management to a third party.
As well as fixing the XSS, they need to start using HSTS too.
dhouwn wrote:If this is going to be a thread about passport handling in general, here is how I roll: I generate a password for each domain based with a one-way algorithm fed with the domain (with TLD) + a master password, ie. like feeding "amazon.co.uk" concatenated with "f00&Bar123" to MD5 (and then base64ing it for compatibility). There are scripts that offer this as well like http://supergenpass.com/ (note, a site could get your master Pwd through the bookmarklet) or https://www.pwdhash.com/
Tom T. wrote:Just some food for thought...
1) What if LastPass goes out of business?
2) Corrupt employee takes a bribe to do evil?
3) Disgruntled employee does evil to get revenge?
4) Innocent employee extorted by threats against family, etc.?
5) DOS attack knocks their servers offline for some number of hours, or worse?
6) Their servers go down due to hw or sw failure? How much redundancy do they have?
7) Power failure, hurricane/tornado/lightning/flood/earthquake/tsunami/fire? Blizzard prevents anyone from getting to work? etc. How much *off-site* full redundancy do they have? E. g., server in California crumbled by earthquake, is there one in London that can handle *all* of the load and has the info?
8) (make up your own - there must be plenty more)
Sure, these things can happen to *any* Web site. But when the service involved is the storage and retrieval of all of your user/pass to *every* other site that requires them...
I hope that those who use LastPass have all of their user/pass stored *on paper* in what they consider to be a safe location. (Is there anyone in your household whom you don't trust?) And electronically, but *not* on your computer. Perhaps a flash drive, CD, DVD, whatever, in which your U/P are stored in an encrypted TrueCrypt volume. Then, if one of these worst-case scenarios happens, you haven't lost it all.
Users browsing this forum: Google [Bot] and 6 guests