Lastpass-password stealing

prime
prime
Community Member

I'm not posting this as a haha to a competitor, but as I hope 1Password doesn't have this issue.

http://www.zdnet.com/article/lastpass-hit-by-password-stealing-and-code-execution-vulnerabilities/

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: 1Password doesn't have that issue. While everyone makes mistakes, part of what makes something like that possible is the fundamental design of the extension. 1Password's browser extensions are notably pretty "dumb" in the sense that most of 1Password's saving/filling smarts is in the app. This is why for example you can't use the extension by itself. The drawback there is that it won't work on platforms where we don't have a native app for it to connect to. But the benefit is that we're not executing code on the machine from the browser. So while the 1Password extensions are limited in a few key ways, it's because they're sandboxed in the browser. This definitely reduces the attack surface, and while it might be nice to have a standalone browser extension (for example, that would work on Linux or ChromeOS), it means there are more things that can go wrong as well. It's just a matter of complexity; and complexity is the enemy of security. That's not to say that 1Password is invincible, but it reduces the attack surface, and less that could be gained by compromising the extension (since it doesn't store any of our data). So if we make a standalone extension in the future, we'll have to take great care not to make similar mistakes -- so certainly this is a lesson we can all take to heart.

  • prime
    prime
    Community Member
    edited March 2017

    @brenty That's very interesting about 1Passwords extension being sandboxed in the browser. I also never thought it as limited, it does everything I need it to do :) Sometimes going simple is the best way doing things too. Look at music; albums that are over produced are not as good (to me). There are some albums that the bands said they did it simple, even have mistakes, and are some of the albums I like best.

    I'm not here to bash LastPass, and I'm glad someone caught the issues before it became a big issue. It also says a lot when Agilebits people don't say negative things about competitors.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: Thanks for the kind words. Honestly, we're in the same boat and it hurts everyone when things like this happen. I think you know how difficult is for some folks to put their trust in a password manager and/or cloud service, and stuff like this scares people away. When it comes to the 1Password extension, I too have modest needs. But a lot of novice users and power users alike prefer the idea of a standalone extension (whether or not they think of it in those terms, and certainly they have different reasons) because honestly it seems natural: "I installed 1Password in my [compatible] browser. It should work!" So from a user standpoint -- whether we're talking about "it just works" or "run everywhere" -- it would be nice to have a standalone extension. But as always there are tradeoffs.

  • prime
    prime
    Community Member

    @toasted I just saw that also. This isn't good for any password managers. I hope the get their stuff together soon.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Yeah... I've been following this as it's continued to develop, and it's kind of depressing. They may be our competitor, but this affects real people. I'm glad if issues are found through research, not active exploitation, and are fixed promptly, but the "tech press" and cavalier tweeting really don't help anyone, only create panic and confusion. Exhausting. :sick:

  • prime
    prime
    Community Member

    I agree and glad it was found though research also. Now you have the people on social media under the news articles about this: "who uses password managers", "all eggs in one basket?", "I have my brain, no one can hack that", "I put it on paper", and others. I have to bite my tongue and just let it go.

  • wkleem
    wkleem
    Community Member
    edited March 2017

    There is something much deeper, which is that Microsoft's Application Verifier zero day exploit can be used to thwart the anti malware apps, or any other app. :( It goes back to XP!!

    https://betanews.com/2017/03/22/doubleagent-zero-day-security-exploit/

    "The DoubleAgent exploit can be used on all versions of Windows from Windows XP to Windows 10, and the use of a persistency technique means that injected code can survive a system reboot."

    Microsoft offers a standard way to install runtime verification tools for native code via Microsoft Application Verifier Provider DLLs. A verifier provider DLL is simply a DLL that is loaded into the process and is responsible for performing runtime verifications for the application.

    In order to register a new Application Verifier Provider DLL one needs to create a verifier provider DLL and register it by creating a set of keys in the registry.

    Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots/updates/reinstalls/patches/etc.

  • DanielP
    DanielP
    1Password Alumni

    Zero days will always exist, this is not surprising unfortunately.

This discussion has been closed.