Design Flaw May Have Allowed Attackers To Bypass LastPass Two-Factor Authentication

Status
Not open for further replies.

randomizer

Champion
Moderator
The CSRF issue has been fixed and the QR code vulnerability is not exploitable. The researcher made a flawed POC that loads the QR code from his local machine. The source article has an update about this right at the bottom.
 

sewalk

Distinguished
Sep 21, 2010
276
0
18,860
26
Why would anyone using Lastpass reuse account passwords or the master password? Common sense would dictate allowing Lastpass to generate unique and complex passwords for each account. This vulnerability seems to presuppose a great deal of stupidity on the part of someone smart enough to begin using Lastpass (or something like it) in the first place.
 

Christopher1

Distinguished
Aug 29, 2006
657
1
19,015
5
I do not understand this whole "Password Manager!" nonsense. I have used the same password on numerous websites (though none where I plan to use real money) and I have never gotten hit by one of these hackers except on websites where I used a very short one word password (which I then upgraded to little bit longer twoword+random symbol+Number and solved the issue).
It seems to me that most of the problem is "Bad design choices!" on the part of the companies, such as allowing master lists of passwords to be downloaded off servers onto personal computers.
 
Status
Not open for further replies.

ASK THE COMMUNITY

TRENDING THREADS