• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 28th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security

LastPass hacked; security compromised for good

July 28th, 2016 Waqas Security 0 comments
LastPass hacked; security compromised for good
Share on FacebookShare on Twitter
LastPass password manager had its security compromised by two white hackers in two days — It turned out sometimes it’s good to be hacked by good hackers!

Mathias Karlsson, an IT security researcher recently breached the security of popular password managers LastPass and reported the issue to the firm.

It all happened when Karlsson noticed LastPass has added HTML code on their website and upon further digging, he found out a serious bug allowing him to extract passwords stored in the autofill feature. In a blog post, Karlsson revealed that the bug was in the URL parsing.

“First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials. However, the URL parsing code was flawed, stated Karlsson.”

Further, Karlsson tested the bug on http://avlidienbrunn.se/@twitter.com/@hehe.php and found that the browser would display the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurrence of @, the actual domain is treated as the username portion of the URL.

Karlsson also shared a screenshot he took from the avlidienbrunn.se domain which displayed Titter credentials in the clear-text form:

Must Read: Top 15 Cyber Attacks and Security Breaches in 2015

Lastpass-hacked-again

I, too, have hacked LastPass :) https://t.co/YeIzTHASou cc @taviso

— ­Mathias Karlsson (@avlidienbrunn) July 27, 2016

Good news is that Karlsson reported the issue to LastPass who fixed the flaw immediately and paid him a sum of $1000.

Second case of LastPass hack: 

In another case, Tavis Ormandy, a Google Security Team researcher exposed a message-hijacking bug that affected the LastPass Firefox addon. To take advantage of this bug the attack had to lure a LastPass user to visit another site and then execute the LastPass actions in the background without the user’s knowledge, such as deleting items. This was possible if the victim fell for a phishing scam that basically redirects users to a fake page, however, good news is that LastPass has issued a security advisory urging FireFox users to update the 4.0 version to the latest one.

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

— Tavis Ormandy (@taviso) July 26, 2016

OK OK, I get it, lots of people use LastPass. If you work there, please contact me ASAP and let's get this fixed.

— Tavis Ormandy (@taviso) July 26, 2016

Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.

— Tavis Ormandy (@taviso) July 27, 2016

History of LastPass security breaches: 

This is not the first time nor will it will be the last time when LastPass has faced security issue, this is the Internet and 100% security is a myth however in the past; researcher demonstrated how attackers can hack LastPass users through a phishing scam. In June 2015, LastPass admitted its database comprising of email addresses, server per user salts, password reminders and authentication hashes were hacked.

[fullsquaread][/fullsquaread]

Must Read: How to secure your cyber infrastructure from threats like ransomware?

Warning:

Whether you are a LastPass user or not, keep in mind never to click an unknown link as it can lead to a phishing scam
NEVER use the same password for other accounts
Use 2 two factor authentication
Use a strong password!

[src src=”Source” url=”https://blog.lastpass.com/2016/07/lastpass-security-updates.html/”]LastPass[/src] 

  • Tags
  • breach
  • Chrome
  • Firefox
  • hacking
  • internet
  • Lastpass
  • Passport
  • Privacy
  • security
Facebook Twitter LinkedIn Pinterest
Previous article Hackers to show how to hack wireless keyboard from 250 feet away
Next article WikiLeaks Releases Voicemails from Hacked DNC Emails
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
World's Most 'Resilient Malware' Botnet Emotet Taken Down

World's Most 'Resilient Malware' Botnet Emotet Taken Down

Top Cybersecurity Threats to Watch in 2021

Top Cybersecurity Threats to Watch in 2021

Database of 176 million Pakistani mobile phone users sold online

Database of 176 million Pakistani mobile phone users sold online

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
NetWalker ransomware disrupted - Cryptocurrency and domain seized
Cyber Crime

NetWalker ransomware disrupted - Cryptocurrency and domain seized

36
Transferring Whatsapp data from iPhone to Android with MobileTrans
How To

Transferring Whatsapp data from iPhone to Android with MobileTrans

25
World's Most 'Resilient Malware' Botnet Emotet Taken Down
Cyber Crime

World's Most 'Resilient Malware' Botnet Emotet Taken Down

69

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us