Design Flaw May Have Allowed Attackers To Bypass LastPass Two-Factor Authentication

[Lucian Armasu]

LastPass' decision to derive the secret seed from a user's master password may have allowed attackers to bypass the app's two factor authentication.

Design Flaw May Have Allowed Attackers To Bypass LastPass Two-Factor Authentication : Read more

 

[randomizer]

The CSRF issue has been fixed and the QR code vulnerability is not exploitable. The researcher made a flawed POC that loads the QR code from his local machine. The source article has an update about this right at the bottom.

 

[sewalk]

Why would anyone using Lastpass reuse account passwords or the master password? Common sense would dictate allowing Lastpass to generate unique and complex passwords for each account. This vulnerability seems to presuppose a great deal of stupidity on the part of someone smart enough to begin using Lastpass (or something like it) in the first place.

 

[Christopher1]

I do not understand this whole "Password Manager!" nonsense. I have used the same password on numerous websites (though none where I plan to use real money) and I have never gotten hit by one of these hackers except on websites where I used a very short one word password (which I then upgraded to little bit longer twoword+random symbol+Number and solved the issue).
It seems to me that most of the problem is "Bad design choices!" on the part of the companies, such as allowing master lists of passwords to be downloaded off servers onto personal computers.