LastPass security hole (cross site scripting)

General discussion about the NoScript extension for Firefox
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Fri May 20, 2011 6:00 am

tlu wrote:As you've said yourself, this is going a bit OT. Nevertheless I want to clarify some things as you don't seem to be familiar with the Lastpass approach:
1. There is only encrypted data on the Lastpass servers. Encryption/decryption is done only on your computer.
2. Your data is also stored on your computer in encrypted form and can be copied to a USB stick or whatever.

Consequences:
1. If there is a data theft from their servers the thieves cannot use it unless you're master password is very weak and prone to a dictionary attack.
2. If the servers are offline or Lastpass is bankrupt you can still access the data on your harddisk via the plugin (but you can't change/add new data) - and you can still export it to, e.g. the Firefox password manager or to a csv file.

This is not meant to convince you. But I think it's obvious that most of the attacks/incidents you mentioned would come to nothing.

No, I didn't mean for this to be a debate on the merits of each, and you've answered some concerns. I have just two thoughts that came to mind upon reading your post:

1) If the encrypt/decrypt is done only on your own computer, then why involve a third-party website at all, when a free, 3-MB tool does the same thing for you without anyone else's involvement, and the corresponding saving in bandwidth and time-to-process? In other words, what is *better* about using LastPass versus Password Safe?

2) Not being able to edit, delete, or add entries whenever the server is not available for any of a million reasons still seems a major disadvantage, even if it happens only rarely.

And one that came to mind since:

You are correct that I haven't investigated LP deeply, seeing no need, and seeing some disadvantages. But if the decryption is done on "your" computer, what about when you take your USB stick and log in on some other machine? (Friend, relative, Internet cafe, if they allow USB at all). When Password Safe is placed directly on your flash drive (and it can be an exact dupe of the one on your hard drive, synched regularly by copying a single, small file, example below), it can be run on any Windows machine *without leaving traces on the host computer*. So if someone bad later gets access to the machine, they can find nothing from your use of PWS on it. This is a question, not a statement: What does LastPass leave on the host machine under these circumstances?

Here is one line in a simple batch script that both backs up your HD password file to your flash drive, and also synchs it to your copy of PWS on the flash, since you can set this location as the default pw file to open:

Code: Select all

xcopy "c:\program files\password safe\pwsafe.psafe3" g:\backups /d /q /k /y

Two clicks, and you're done.

Of course, power users can shorten that and universalize it (if perhaps you use one machine with root drive C: and another with root D:, for example) with environment variables: %programfiles% for c:\ programfiles, which on my own machine, I shortened to %prog%. Cheers.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.15

User avatar
therube
Ambassador
Posts: 7528
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: LastPass security hole (cross site scripting)

Post by therube » Sat May 21, 2011 4:03 am

(I haven't really been following/not really familiar with ... Anyhow, it may be funny or appropriate, or inappropriately funny?)


Image


Password generator bookmarklet

http://passwordmaker.org/passwordmaker.html
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20110511 Firefox/4.0.1 SeaMonkey/2.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Sat May 21, 2011 5:52 am


Uses MD5. http://en.wikipedia.org/wiki/Md5:
Wikipedia wrote:In 2004, more serious flaws were discovered, making further use of the algorithm for security purposes questionable; specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum. Further advances were made in breaking MD5 in 2005, 2006, and 2007. In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity. US-CERT of the U. S. Department of Homeland Security said MD5 "should be considered cryptographically broken and unsuitable for further use," and most U.S. government applications now require the SHA-2 family of hash functions."

Password Safe will generate pws of any length, constraints (keyboard chars yes/no, hex-only, etc.), or for generation only, you can copy/paste any portion of an infinitely-changing list of hex, alphanumeric, or ASCII pws presented at Steve Gibson's Perfect Passwords site. Served over https, and of course, he has no way of knowing what you've copied.

Funny cartoon.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.15

marco'anthonio
Posts: 8
Joined: Sat May 14, 2011 9:23 am

Re: LastPass security hole (cross site scripting)

Post by marco'anthonio » Sun May 22, 2011 6:46 pm

Logos wrote:okay thanks for the feedback, I had no doubt that NS would be the ultimate protection against such attacks ;)

ps: on a side note for those reading this thread, I wanted to add that obviously the issue (XSS) may occur exclusively when accessing your lastpass account directly on lastpass website. The use itself of the lastpass plugin represents no problem whatsoever.

I wanna thank you for the info. I was about to mail it to my son from your site & Noscript told me 'watch it' XSS ,clickjacking while trying to sign in my gmail... And i was about to redirect you across town .His mother would not even change the darn wep to wpa becaue I said they should. She works in a software producing co. as an accountant.
I wanna know Where does a 'Cracker' draw the line?.. Logos.

[img][IMG]http://img855.imageshack.us/img855/7666/capture32.png[/img]

Uploaded with ImageShack.us[/img]

I uploaded the wrong shot by mistake.that 1 shows Zonealarm telling it wanted to access the lan ;but there was an xss warning too.
I may be misinterpreting warnings now.I have been called paranoid before ;)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Sun May 22, 2011 11:06 pm

marco'anthonio wrote: <snip> His mother would not even change the darn wep to wpa becaue I said they should.

What if you told her that we (security-oriented forum supporting world's best browser security tool) told her she should? ;) ... and preferably, to WPA2, if the hw will support it. (If she has an older Win XP, MS has an update that will add WPA2 support.)
She works in a software producing co. as an accountant.

In my experience, some sw engineers themselves are ignorant of security, as it's apparently not taught in most Computer Science curricula. Should be an integral part of every course, IMHO.
I wanna know Where does a 'Cracker' draw the line?.. Logos.

You can tinker with your own machine all you like. You can find security issues and report them responsibly -- Zero Day initiative will even pay you for them. But the moment you access or change anyone else's computer or network without their express, informed consent, or publish means for doing so before giving vendors adequate time to issue patches, you've crossed the line. Clear enough? 8-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.16

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: LastPass security hole (cross site scripting)

Post by tlu » Mon May 23, 2011 9:55 am

Tom T. wrote:No, I didn't mean for this to be a debate on the merits of each, and you've answered some concerns. I have just two thoughts that came to mind upon reading your post:

1) If the encrypt/decrypt is done only on your own computer, then why involve a third-party website at all, when a free, 3-MB tool does the same thing for you without anyone else's involvement, and the corresponding saving in bandwidth and time-to-process? In other words, what is *better* about using LastPass versus Password Safe?


I see 2 advantages:

1. You have an additional (encrypted) copy of your login data on the Lastpass servers which adds security. Say, if your harddisk crashes and you don't have a backup available (or it's not up-to-date), just setup your system anew and install the Lastpass plugin in your browser, login with it in your Lastpass account - and a new encrypted local copy is immediately saved on your harddisk. It couldn't be easier.
2. If you use different browsers, operating systems and/or a mobile phone there is no need to synchronize them manually. Just install the suitable plugin - ready!

2) Not being able to edit, delete, or add entries whenever the server is not available for any of a million reasons still seems a major disadvantage, even if it happens only rarely.


Yes, it happens very rarely in my experience. And do you really edit, delete or add login entries that often :?:

Another advantage that comes to my mind: The automatic fill-in of login fields works better on several sites with Lastpass compared to the FF password manager (I don't know about other alternatives like PasswordMaker).

And one that came to mind since:

You are correct that I haven't investigated LP deeply, seeing no need, and seeing some disadvantages. But if the decryption is done on "your" computer, what about when you take your USB stick and log in on some other machine? (Friend, relative, Internet cafe, if they allow USB at all). When Password Safe is placed directly on your flash drive (and it can be an exact dupe of the one on your hard drive, synched regularly by copying a single, small file, example below), it can be run on any Windows machine *without leaving traces on the host computer*. So if someone bad later gets access to the machine, they can find nothing from your use of PWS on it. This is a question, not a statement: What does LastPass leave on the host machine under these circumstances?


https://lastpass.com/support.php?cmd=showfaq&id=866
Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Wed May 25, 2011 1:08 am

Thanks for the input. In the spirit, not of "debate", but of a "comparative discussion" of pros/cons of each, just a couple of comments.
tlu wrote:I see 2 advantages:

1. You have an additional (encrypted) copy of your login data on the Lastpass servers which adds security. Say, if your harddisk crashes and you don't have a backup available (or it's not up-to-date), just setup your system anew and install the Lastpass plugin in your browser, login with it in your Lastpass account - and a new encrypted local copy is immediately saved on your harddisk. It couldn't be easier.

Always an advantage to *anything* to have an off-site backup, agreed. Since backing up Password Safe is as easy as plugging in flash drive and 2-click the batch script mentioned -- or just copy *one single file* of a few k directly from the HD to the Flash -- I back it up every time there's a significant change. It couldn't be easier. :) (and no need to be online, either you or an external server). There is also an automatic backup feature that can be configured to save a backup every time anything changes, to whatever location you direct -- flash, external drive, Shared folder on your home network, etc.

I did have a HD die on me, got a new one, restored a full-disk-image backup, and got the latest backup of password file off my flash drive, just in case the FDI-backup wasn't of the latest PWS file. No sweat, and no need to go online.

2. If you use different browsers, operating systems and/or a mobile phone there is no need to synchronize them manually. Just install the suitable plugin - ready!

I'm very leery of doing any sensitive operations over a mobile phone, given the even-weaker security, but supporting different OS is indeed an advantage for some users -- PWS is Win-only ATM. AFAIK, though, one single copy (say, on flash drive) does support any browser .

2) Not being able to edit, delete, or add entries whenever the server is not available for any of a million reasons still seems a major disadvantage, even if it happens only rarely.

Yes, it happens very rarely in my experience. And do you really edit, delete or add login entries that often :?:

Surprisingly more than one might think. For example, with the wave of bank mergers in the US, one's online banking creds might change, or the new site might add challenge questions, or have different ones. And existing sites often "upgrade" security :roll: by adding various such things. Every time you happen to see, or be directed to, a forum, perhaps in searching for an answer to a question, you may be required to create yet another user/pass. Also, enterprises often have policies requiring pw changes every X days, and that advice is often given to home users, too, although its value is much less than popularly thought.

In total, I'd guess i do at least two dozen or more edits or additions a year, so without hunting through a year of backups to count the PWS files with different "modified" dates ;) , let's say an average of once every week or two. Agreed that the chances of that happening at the moment of one of those very rare server failures is slim, and I *could* write it down, change the local plugin (?), etc. until the server is up, but with PWS, the chance is zero. I prefer zero to very rare, but agree that there are advantages to the multi-OS support.
Another advantage that comes to my mind: The automatic fill-in of login fields works better on several sites with Lastpass compared to the FF password manager (I don't know about other alternatives like PasswordMaker).

I don't know PasswordMaker, and I would never trust *any* browser pw-manager. PWS auto-type works perfectly on all sites for me, except for those in which the user and password inputs are on different pages, in which case a convenient copy-to-clipboard and paste still saves the trouble of typing. Try it - it's free, no "installation", delete it if you don't like it.

<snip> what about when you take your USB stick and log in on some other machine? (Friend, relative, Internet cafe, if they allow USB at all). When Password Safe is placed directly on your flash drive ... it can be run on any Windows machine *without leaving traces on the host computer*. So if someone bad later gets access to the machine, they can find nothing from your use of PWS on it. This is a question, not a statement: What does LastPass leave on the host machine under these circumstances?

https://lastpass.com/support.php?cmd=showfaq&id=866

I went there.
How do I use LastPass from a USB thumb drive?

You can:
1. Install a portable browser and download LastPass Portable: http://helpdesk.lastpass.com/lastpass-portable/

With PWS, no need to d/l a portable browser, although I have a couple anyway. It will work with whatever browser is on the host, AFAIK.

The same version of PWS that you put on your HD works fine on your flash drive, since it's completely self-contained. No multiple versions to d/l and install.
3. Use IE Anywhere to hook into Internet Explore or IE Tab for Firefox and Chrome (this is a Premium....)

Costs money? I wouldn't use IE (whole point of Fx is safety, esp, with NoScript), but while I haven't looked into it, intuitively, whatever browser is running on the host, PWS enters your info. Or you can click-paste, as mentioned. No charge.
If you frequently use Internet cafes or untrusted computers, the Portable option is an ideal way to securely access your LastPass Vault.

This *implies* that no traces are left on the host, thought I couldn't see where they said so explicitly. Of course, any untrusted machine could be compromised in ways that would hurt us with either tool, but not having to browse the Internet to get to your pw manager is one less possible attack vector. (Machine/LAN has phony SSL cert installed, MITMs your transmissions, then sends them on to server. With PWS, your stuff is already encrypted before it hits even the LAN of the Internet cafe or whatever.)

Overall, it does seem as though the LP people have tried hard to provide a good and secure cloud-based solution, but on general principles IMHO, the fewer parties involved in *anything*, the better. After all, what was this thread *originally* about? (before we took it O/T, lol) An XSS vuln in Last Pass. :o

And *that* is why whenever there's a choice between the cloud and home, I'm with Dorothy: "There's no place like home."

Thanks for the interesting discussion and exploration.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.16

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: LastPass security hole (cross site scripting)

Post by Thrawn » Wed May 09, 2012 9:51 am

dhouwn wrote:If this is going to be a thread about passport handling in general, here is how I roll: I generate a password for each domain based with a one-way algorithm fed with the domain (with TLD) + a master password, ie. like feeding "amazon.co.uk" concatenated with "f00&Bar123" to MD5 (and then base64ing it for compatibility). There are scripts that offer this as well like http://supergenpass.com/ (note, a site could get your master Pwd through the bookmarklet) or https://www.pwdhash.com/


You might also be interested in the Fire Encrypter or Fire Hash addons, which will allow you to keep your password generation on your local machine, thus avoiding MITM of your master password.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Thu May 10, 2012 5:38 am

Thrawn wrote:
dhouwn wrote:If this is going to be a thread about passport handling in general, here is how I roll: I generate a password for each domain based with a one-way algorithm fed with the domain (with TLD) + a master password, ie. like feeding "amazon.co.uk" concatenated with "f00&Bar123" to MD5 (and then base64ing it for compatibility). There are scripts that offer this as well like http://supergenpass.com/ (note, a site could get your master Pwd through the bookmarklet) or https://www.pwdhash.com/

You might also be interested in the Fire Encrypter or Fire Hash addons, which will allow you to keep your password generation on your local machine, thus avoiding MITM of your master password.

Password Safe keeps your pw generation on your local machine, as mentioned above, while avoiding involving the browser in pw generation at all -- a plus, IMHO.
And a single 4MB separate app, on HD, flash drive, whatever, take it with you when traveling, and no add-ons or add-on incompatibilities to worry about.
Also, the app itself is not Web-facing, as any add-on probably is.

I don't see how dhouwn's lengthy process is any better than a strong random pw generator, other than being able to reproduce the pw if you lose it.
Password Safe is easily backed up to any medium by copy or drag/drop a single encrypted file of 10-20k.

Especially since MD5 is considered broken.
.... In December 2008, a group of researchers used this technique to fake SSL certificate validity, and US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use." and most U.S. government applications now require the SHA-2 family of hash functions.

Also, if that algorithm is part of certain scripts or add-ons, hackers would be aware of it, too. So anyone who obtains your master PW can produce all of your site pws, just as they could with any other master-pw method, including Password Safe. Involving a site name in pw generation adds zero entropy, really.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: LastPass security hole (cross site scripting)

Post by Thrawn » Fri May 11, 2012 12:21 am

Tom T. wrote:
Thrawn wrote:
dhouwn wrote:If this is going to be a thread about passport handling in general, here is how I roll: I generate a password for each domain based with a one-way algorithm fed with the domain (with TLD) + a master password, ie. like feeding "amazon.co.uk" concatenated with "f00&Bar123" to MD5 (and then base64ing it for compatibility). There are scripts that offer this as well like http://supergenpass.com/ (note, a site could get your master Pwd through the bookmarklet) or https://www.pwdhash.com/

You might also be interested in the Fire Encrypter or Fire Hash addons, which will allow you to keep your password generation on your local machine, thus avoiding MITM of your master password.

Password Safe keeps your pw generation on your local machine, as mentioned above, while avoiding involving the browser in pw generation at all -- a plus, IMHO.
And a single 4MB separate app, on HD, flash drive, whatever, take it with you when traveling, and no add-ons or add-on incompatibilities to worry about.
Also, the app itself is not Web-facing, as any add-on probably is.

I don't see how dhouwn's lengthy process is any better than a strong random pw generator, other than being able to reproduce the pw if you lose it.
Password Safe is easily backed up to any medium by copy or drag/drop a single encrypted file of 10-20k.


Yeah, standalone apps are quicker to use, and just as easy to back up. I was really only suggesting the addons as a replacement for the in-the-cloud services that dhouwn mentioned.

I think that Fire Encrypter and Fire Hash are self-contained, and about 30KB or less. The developer describes them as mostly just for fun, but if you're going to be generating passwords from hashes while browsing, may as well use the addons instead of a cloud service...Fire Encrypter has a password generator, too. Which would take you back to needing a secure password safe, of course.

Tom T. wrote:Especially since MD5 is considered broken.
.... In December 2008, a group of researchers used this technique to fake SSL certificate validity, and US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use." and most U.S. government applications now require the SHA-2 family of hash functions.

Also, if that algorithm is part of certain scripts or add-ons, hackers would be aware of it, too. So anyone who obtains your master PW can produce all of your site pws, just as they could with any other master-pw method, including Password Safe. Involving a site name in pw generation adds zero entropy, really.

Yep, both addons have SHA-256 / SHA-384 / SHA-512.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Fri May 11, 2012 2:36 am

Thrawn wrote:I think that Fire Encrypter and Fire Hash are self-contained, and about 30KB or less. The developer describes them as mostly just for fun,

Fun? :shock:

If the dev doesn't take his/her pw-generating add-on seriously, why should we?

Password Safe's encryption was designed by world-class crypto-geek Bruce Schneier, who takes his work *very* seriously.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: LastPass security hole (cross site scripting)

Post by Thrawn » Fri May 11, 2012 3:35 am

Tom T. wrote:
Thrawn wrote:I think that Fire Encrypter and Fire Hash are self-contained, and about 30KB or less. The developer describes them as mostly just for fun,

Fun? :shock:

If the dev doesn't take his/her pw-generating add-on seriously, why should we?

Password Safe's encryption was designed by world-class crypto-geek Bruce Schneier, who takes his work *very* seriously.


OK, more accurately, "mostly useful for developers or for education & fun".
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Fri May 11, 2012 4:20 am

Took a look.
Why was Fire Encrypter created?
I needed cryptography for various projects, and so I put it all into one add-on.

10 user reviews
1,614 users
*********************
Fire Hash

0 user reviews
239 users

Comparing checksums of downloaded files is always a good idea.
Not intending to be consistently negative here, but again, stand-alones are much less vulnerable to any tampering with or inside the active browser.

May I respectfully suggest a peek at HashCalc? (freeware)
600k app that I keep on a flash drive (+ another 600k for the install/uninstaller), 2-click to open the .exe, drag and drop any file, get the checksums immediately.
Also hashes text strings and hex strings.

Support of 12 well-known and documented hash and checksum algorithms: MD2, MD4, MD5, SHA-1, SHA-2( 256, 384, 512), RIPEMD-160, PANAMA, TIGER, ADLER32, CRC32.
Support of a custom hash algorithm (MD4-based) used in eDonkey and eMule applications.
Support of 2 modes of calculations: HASH/CHECKSUM and HMAC.

... and without involving the browser.

IIRC, it was tlu who noted that having more and more add-ons gives the browser a more nearly unique fingerprint (reduces entropy).

The only disappointing thing, when I went back to their home page, is that it appears to support only through Windows XP. (and Windows only)
Surprised that there isn't support for Vista/7; perhaps if many sent requests to the dev, he'd do it. (Or maybe they'd work anyway? Anyone with V/7 care to try? )

Also would be nice to have Mac and *nix versions, of course.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
therube
Ambassador
Posts: 7528
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: LastPass security hole (cross site scripting)

Post by therube » Fri May 11, 2012 5:16 pm

> (HashCalc) appears to support only through Windows XP
> Surprised that there isn't support for Vista/7

Probably just never bothered testing specifically, though can't imagine it wouldn't work.
Win7 released in 2009, a couple years after the last release of HashCalc.
Vista released just a short while prior, Jan 2007, to HashCalc.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20120508 Firefox/14.0a2 SeaMonkey/2.11a2

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: LastPass security hole (cross site scripting)

Post by Tom T. » Sat May 12, 2012 12:48 am

therube wrote:> (HashCalc) appears to support only through Windows XP
> Surprised that there isn't support for Vista/7

Probably just never bothered testing specifically, though can't imagine it wouldn't work.

I would think so, too. Would anyone with access to Vista or Win 7 care to do a one-minute download and test? TIA.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

Post Reply