Skip to main content
  1. Home
  2. Computing
  3. News

Despite security revisions, the secrecy of your passwords may still be at risk with LastPass

By

Heartbleed LastPass
Image used with permission by copyright holder
LastPass is what’s considered a single sign-on service, or SSO. It compiles all of your passwords into a single vault that can auto-fill forms at any time. It’s convenient, saves time, and is allegedly more secure than the alternative — typically using the same password for everything.

Security researchers have determined, however, that LastPass is far from perfect. It has been found to contain the types of holes that any amateur hacker could have a field day with. Given the proper tools, user data could have easily gotten into the wrong hands, revealing myriad private login credentials and leaving them vulnerable to a host of dangerous exploits.

Recommended Videos

This news comes by way of Martin Vigo, self-proclaimed “security geek,” who recently shared his findings at the Black Hat Europe conference. Speaking alongside Alberto Garcia Illera, Vigo provided vivid instructions for getting around LastPass’ security in a demonstration of just how easy it is to get through.

The two sales force security engineers outlined several holes in the service’s security protocols, both from the outside and from within using the client or server. Locally, the experts were able to get past the two-factor authentication in LastPass using a locally stored plain text token. By doing this, Vigo and Illera were able to trick the password recovery feature, in turn managing to exploit session cookies, though other procedures ensued.

Most worrying for loyal LastPass devotees, however, is that by installing a few lines of JavaScript code, cybercriminals could theoretically rob users of their usernames and passwords.

For obvious ethical reasons, all of these discoveries were immediately reported to LastPass, and the firm made some quick modifications to its security protocols. Unfortunately, as David Bison pointed out on security consultant Graham Cluley’s blog, this problem is likely not exclusive to LastPass. Rather, numerous other SSO clients probably experience the same central flaws.

On a brighter note, if you’re currently using an SSO client, it’s probably still safer than not using one at all and, say, making all of your passwords the same, easy-to-guess word. In a Tom’s Guide article, journalist Marshall Honorof writes that cracking the LastPass code would actually be quite the challenge for many cyber thieves, unless they’re able to take control of the user’s server or the device itself. Because of this, most hackers would opt for other means of password theft. Nevertheless, it’s still a concerning matter considering LastPass is used by thousands of organizations globally.

Of course, as we reported on earlier this year, LastPass was the victim of a massive data breach back in June. Perhaps even more distressing, the SSO service was purchased just last month by LogMeIn, a major SaaS (software as a service company) that underwent a data breach of its own last January.

This is the second consecutive year in which this same pair of engineers has discovered some loose strings in the LastPass code, making it painfully easy to get past its ostensibly tightly concealed vault doors. We can only hope these findings will motivate LogMeIn to improve its situation rather than making LastPass even more susceptible to threats.

Editors' Recommendations

Topics
Gabe Carey
Gabe Carey
Former Digital Trends Contributor
A freelancer for Digital Trends, Gabe Carey has been covering the intersection of video games and technology since he was 16…
Power up your tech game this summer with Dell’s top deals: Upgrade for a bargain
Dell Techfest and best tech on sale featured.

One of the best times to upgrade your tech stack, be it your desktop, a new laptop, or some high-resolution monitors, is when great deals are to be had. Well, I'm here to share that thanks to Dell's top deals, you can power up your tech game and have most of the summer to make it happen. Maybe you're happy with your current system or setup. That's excellent, but you're likely considering upgrading somewhere, and that's precisely what these deals are all about. Dell has a smorgasbord of deals on laptops, desktops, gaming desktops, monitors, accessories, and so much more. We'll call out a few of our favorite deals below, but for now, know that you should be shopping this sale if you're interested in anything tech-related.

 
What summer tech should you buy in Dell's top deals?

Read more
I love the MacBook Pro, but this Windows laptop came surprisingly close
Apple MacBook Pro 16 downward view showing keyboard and speaker.

There are some great machines in the 15-inch laptop category, which has recently been stretched to include the more common 16-inch laptop. The best among them is the Apple MacBook Pro 16, which offers fast performance for tasks like video editing and the longest battery life.

The Lenovo Yoga Pro 9i 16 is aimed not only at other 16-inch Windows laptops but also at the MacBook Pro 16. It offers many of the same benefits but at a lower price. Can it take a place at the top?
Specs and configurations

Read more
How to set an ‘Out of Office’ message in Microsoft Teams
Person using Windows 11 laptop on their lap by the window.

Many people use Microsoft Teams regularly to communicate with colleagues both inside of the office and remotely. It is considered one of the most efficient ways to ensure you can stay in contact with the people on your team, but what if you need to let people know you’re not readily available? Microsoft Teams has a method for you to set up an "Out of Office" status for your profile to let staff members know when you’ll be gone for the afternoon, for several days on vacation, or for an extended period.
Where do I go to set up my ‘Out of Office’ status for Teams?
It is important to note that your Microsoft Teams and Outlook calendars are synced. This includes your out-of-office status and automatic replies. So, whatever you set up in Microsoft Teams will reflect in Outlook. Similarly, you can set up your out-of-office status in Outlook, and it will be reflected in Teams; however, the former has a more straightforward instruction.

First, you can click on your profile icon in Teams and go directly to Schedule an out of office, as a shortcut. This will take you to the settings area where you can proceed. You can also click the three-dot icon next to your profile icon, then go to Settings > General, then scroll down to the bottom of the page. There, you'll find out-of-office settings and click Schedule.

Read more