One Article Review
| Source |  Graham Cluley |
|---|---|
| Identifiant | 4784 |
| Date de publication | 2016-07-27 11:50:43 (vue: 2016-07-27 11:50:43) |
| Titre | LastPass security hole could have seen hackers steal your passwords |
| Texte | Mathias Karlsson, a security researcher at Detectify Labs, writes:Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That's what I thought too before I decided to check out the security of the LastPass browser extension.In his article, Karlsson explains how he was able to trick LastPass into believing that it was on the real Twitter website, and cough up the users' credentials because of a bug in the LastPass password manager's autofill functionality.The same technique could have been used to steal passwords associated with other websites.Yeuch!The good news is that Karlsson believes in responsible disclosure, and so informed LastPass of the problem. In more good news LastPass fixed the issue in less than a day (and awarded Karlsson a $1,000 bug bounty for his efforts).Karlsson recommends that LastPass users disable the autofill functionality and enable multi-factor authentication for better security.Although his discovery is troubling, I agree with Karlsson when he points out that using a password manager is still better than reusing passwords on different websites.PS. Well-known vulnerability researcher Tavis Ormandy has also tweeted overnight that he has also found a flaw in LastPass. Details have not yet been made public, and LastPass is reportedly working with him on resolving the issue.PPS. Readers with good memories will recall that LastPass was acquired by LogMeIn last year to the concern of some. Overnight it has been announced that LogMeIn is itself being acquired by Citrix. |
| Envoyé | Oui |
| Condensat | 000 able acquired agree all also although announced article associated authentication autofill awarded bad because been before being believes believing better bounty browser bug check citrix concern cough could credentials day decided details detectify different disable disclosure discovery efforts enable explains extension factor fixed flaw found functionality good hackers has have him his hole how informed issue itself just karlsson known labs last lastpass less logmein made manager mathias memories more multi news not ormandy other out overnight password passwords points pps problem public readers real recall recommends reportedly researcher resolving responsible reusing same security seen some sounds steal tavis technique than that thought too trick troubling true tweeted twitter used users using visiting vulnerability webpage website websites well what when will working writes:stealing year yet yeuch your |
| Tags | |
| Stories | LastPass |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.