How I stole my friend’s passwords via LastPass
Over the years, I have had many moments of doubt in continuing to use LastPass, including but not limited security breaches, an awkward user interface and that feeling when you’re on somebody else’s machine and can’t remember your 50-character randomly generated Gmail password.
At the end of the day though, I find that it’s a net positive in terms of piece of mind and actual security provisions.
With this in mind, I want to issue a little reminder to those of us using password managers of any flavor: security is hard, and it follows that security is a tradeoff with convenience.
I’m not some hardcore netsec hacker. So when I came across what I perceived as a vulnerability in LastPass (and likely other password managers), I was pretty surprised.
It goes like this (using Chrome in my case):
- Use your password manager’s password sharing feature to send a credentials to a trusted party.
- Have them click through and launch the site which autofills and submits the login form.
- Chrome asks if you would like to save the password for said site; you accept.
- That password is now stored in super-secret-passwords in Chrome, viewable by merely entering your own system password.
Ok, so is it a vulnerability? Well not really, and I’m not the first to chance upon this. LastPass even provides this friendly warning, deep within their password sharing FAQ:
Savvy end users could potentially access the password if they capture it using advanced techniques...
So my point in writing this is merely to act as a reminder. Your password manager and other such tools are not the turn-key solutions they sometimes advertise themselves to be. What little I did learn about network security from my time at a fintech startup was that there is no silver bullet; security begins with YOU.
