LastPass XSS vulnerability found. Is it a big deal?

Via DownloadSquad I found out that a cross-site scripting (XSS) vulnerability was found in LastPass – an online password management service.  The problem was reported to LastPass and they seem to have fixed it before the information went out public.  What remains now is the question of how bad is this incident.

First off: don’t worry. Cardwell reported the vulnerability to LastPass before writing it up, and it has since been fixed. We’re not sure if the fix has propagated out to the Chrome and Firefox add-ons — but we have to assume that Cardwell wouldn’t have written his blog post if the vulnerability still existed.

With that said, you should still be more than a little concerned about the fundamental architecture of LastPass as an in-the-cloud password manager. While this cross-site scripting attack was fixed quickly, Cardwell thinks a similar attack “could easily happen again in future.”


It’s very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.

Being a user of LastPass myself and knowing quite a few other people who use the service (some of them are even on my recommendation), I have to say that I am not pleased.  I trust absolutely all of my passwords to LastPass and I rely on it being secure.  Having said that, I have to point out that the world is still there.  And mostly likely, it will still be there even if all those passwords get stolen and distributed all over the Internet.  For sure, some people will lose some data.  Some will probably lose some money.  But I don’t think it can get any worse than that.  Nobody will die.

More so, convenience and productivity beat security.  Yes, there are a few security concerned individuals out there who would never trust their passwords to their own mother, let alone a web-based service that they have no control over.  But most people aren’t like that.  Most people, yours truly included, just don’t care enough.  Modern world is filled with usernames and passwords and for most part people don’t care if someone else knows them or not.  We only use credentials because we are forced to.  Remembering all those logins and password is a tough job.  Having it done by LastPass is awesome!  You don’t have to remember passwords anymore.  You don’t have to worry about losing them together with your laptop.  You don’t have to worry about carrying the laptop with you at all times.  Just save them to LastPass and you’ll be able to access them from anywhere – home, office, mobile, etc.  This is so convenient that it’s almost irrelevant how many vulnerabilities will be found and exploited – LastPass still solves the hard problem for a lot of people.   The only thing they have to worry about is competition that can and probably will exploit such incidents.

Giving Picasa a try

Those of you who know me, know that I am a big fan of Flickr.  I’ve been using it for years, and I have more than 10,000 photos upload there.  I am also a big fan of Google.  And even so, I ignored and disregarded their Picasa service.  Why?  Because it is boring.

Flickr is a fresh and very much unique solution to the photo sharing problem.  It is a photostream.  It is social with all the commends and groups.  It helps with organization of photos by sets, collections, and tags.  It utilizes EXIF image data.  It allows to geotag pictures.  It was one of the first to introduce easy Creative Commons licensing.  And more.

Picasa is very straightforward and … boring.  Create albums, upload images, share the selected.  That was pretty much it.  Later on of course comments came in, geotagging was implemented, and even face recognition was added. Sort of.  The strength of Picasa was not in the web service.  It was in the photo management application that you’d install on your computer.  And that was exactly what I never wanted to do.

My computer is unreliable.  It crashes, and dies, and gets outdated.  It runs out of disk space.  I lose it.  And I can’t really share and discuss things off my computer with other people.  I can, but it’s not easy or convenient.  Flickr solves my problem – I upload pictures there, and everyone can see, comment, and reuse them.

That however created a new problem for me.  Since I know that other people will look at my photos, I want to edit them a bit before uploading – crop, contrast, saturation.  Things like that.  But when I take a lot of pictures at once – event or travel – I have to work a lot to process them.  If I get several events in a row, I get stuck, overload, and lose interest.  Like now, for example.  I still have photos from my 2009 trips that I haven’t uploaded anywhere.

A few days ago, I realized that there might be a workable scenario for me with Picasa.  Picasa these days is much more feature rich than it used to be.  It still lacks the social functionality, but it offers something more for photo management.  Picnick – an online photo editor.  With that, I can upload all my photos to Picasa as soon as I have them. I can keep them in a private album, edit them when I have the time, and then share them later.  Or share them immediately and edit them later – there is less social pressure because there is less social interactions and functionality.

On top of that, Picasa is better working with my new Android phone.  I already use it to backup photos from my phone.  Having their all photos together makes sense.

One other thing that Picasa does better – uploads.  Both services have API, so there are plenty of tools to move pictures around.  But I always prefer the simplest solution.  Flickr provides five file upload fields on their site.  If I need to upload few hundreds of pictures, I’ll spend too much time with that.  I am, sort of, forced to install an application or a browser plugin or something.  Picasa web albums allows to select multiple files for upload – as many as you have in the folder.  So in just a couple of clicks I can select and start the upload and come back later when it’s done.

Having seen all that in the last few days, I decided to try it out.  I am no uploading all my photos to Picasa as well.  I’ll keep them in private albums for now.  If I like it enough, I’ll share them later.

What about you?  Where do you keep your photos?  How do you share them?  And are you happy with your current setup?

Day in brief

The Fighter

The other day I watched “The Fighter” – a sports drama based on the life and career of the boxer Micky Ward.  As with most other sport dramas, the main course of the story is known and predictable.  Those movies are not done, watched, and enjoyed for their twisted plots.  Instead, they are all about people and specific circumstances.  And this film is not an exception.

To be honest, I’ve never heard about Micky Ward before this film.  So it was interesting for me to discover who he is and how he came up to be what he is.  It was also interesting to see a rather realistic approach to the story – less glamor, hot chicks, and big fights and more of hard work, sweat, personal drama, and overall resistance.   The film helps to illustrate the idea that champion is 1% of talent and 99% of hard work.  It also shows how impossible it is to satisfy everyone and how that often leads one to very hard choices, and how those choices have to be made.

Overall, I really enjoyed the film.  Interesting characters, good acting, and authentic cinematics all make this film so much better.  A 4 out of 5 from me.  Recommended.