{"id":14486,"date":"2011-02-28T02:55:29","date_gmt":"2011-02-28T00:55:29","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=14486"},"modified":"2011-02-28T02:55:29","modified_gmt":"2011-02-28T00:55:29","slug":"lastpass-xss-vulnerability-found-is-it-a-big-deal","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2011\/02\/28\/lastpass-xss-vulnerability-found-is-it-a-big-deal\/","title":{"rendered":"LastPass XSS vulnerability found. Is it a big deal?"},"content":{"rendered":"\n

Via DownloadSquad<\/a> I found out that a cross-site scripting (XSS) vulnerability was found in LastPass<\/a> – an online password management service. \u00a0The problem was reported to LastPass and they seem to have fixed it before the information went out public. \u00a0What remains now is the question of how bad is this incident.<\/p>\n

First off: don’t worry. Cardwell reported the vulnerability to LastPass before writing it up, and it has since been fixed. We’re not sure if the fix has propagated out to the Chrome and Firefox add-ons — but we have to assume that Cardwell wouldn’t have written his blog post if the vulnerability still existed.<\/p>\n

With that said, you should still be more than a little concerned about the fundamental architecture of LastPass as an in-the-cloud password manager. While this cross-site scripting attack was fixed quickly, Cardwell thinks a similar attack “could easily happen again in future.”<\/p>\n

[…]<\/p>\n

It’s very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.<\/p><\/blockquote>\n

Being a user of LastPass myself and knowing quite a few other people who use the service (some of them are even on my recommendation), I have to say that I am not pleased. \u00a0I trust absolutely all of my passwords to LastPass and I rely on it being secure. \u00a0Having said that, I have to point out that the world is still there. \u00a0And mostly likely, it will still be there even if all those passwords get stolen and distributed all over the Internet. \u00a0For sure, some people will lose some data. \u00a0Some will probably lose some money. \u00a0But I don’t think it can get any worse than that. \u00a0Nobody will die.<\/p>\n

More so, convenience and productivity beat security. \u00a0Yes, there are a few security concerned individuals out there who would never trust their passwords to their own mother, let alone a web-based service that they have no control over. \u00a0But most people aren’t like that. \u00a0Most people, yours truly included, just don’t care enough. \u00a0Modern world is filled with usernames and passwords and for most part people don’t care if someone else knows them or not. \u00a0We only use credentials because we are forced to. \u00a0Remembering all those logins and password is a tough job. \u00a0Having it done by LastPass is awesome! \u00a0You don’t have to remember passwords anymore. \u00a0You don’t have to worry about losing them together with your laptop. \u00a0You don’t have to worry about carrying the laptop with you at all times. \u00a0Just save them to LastPass and you’ll be able to access them from anywhere – home, office, mobile, etc. \u00a0This is so convenient that it’s almost irrelevant how many vulnerabilities will be found and exploited – LastPass still solves the hard problem for a lot of people. \u00a0 The only thing they have to worry about is competition that can and probably will exploit such incidents.<\/p>\n\n","protected":false},"excerpt":{"rendered":"\n

Via DownloadSquad I found out that a cross-site scripting (XSS) vulnerability was found in LastPass – an online password management service. \u00a0The problem was reported to LastPass and they seem to have fixed it before the information went out public. \u00a0What remains now is the question of how bad is this incident. First off: don’t … Continue reading LastPass XSS vulnerability found. Is it a big deal?<\/span><\/a><\/p>\n\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[1,62,60],"tags":[200],"keyring_services":[],"class_list":["post-14486","post","type-post","status-publish","format-standard","hentry","category-general","category-technology","category-wordpress","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":21491,"url":"https:\/\/mamchenkov.net\/wordpress\/2014\/04\/10\/lastpass-now-tells-you-which-heartbleed-affected-passwords-to-change\/","url_meta":{"origin":14486,"position":0},"title":"LastPass Now Tells You Which Heartbleed-Affected Passwords to Change","author":"Leonid Mamchenkov","date":"April 10, 2014","format":"link","excerpt":"LastPass Now Tells You Which Heartbleed-Affected Passwords to Change","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"lastpass","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2014\/04\/lastpass-500x281.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":36383,"url":"https:\/\/mamchenkov.net\/wordpress\/2019\/02\/27\/intro-to-basic-web-application-security\/","url_meta":{"origin":14486,"position":1},"title":"Intro to basic web application security","author":"Leonid Mamchenkov","date":"February 27, 2019","format":false,"excerpt":"\"Intro to basic web application security\" is an excellent overview of the most common mistakes web developers make when it comes to security. The article provides practical examples (including code snippets and screenshots), which illustrate the problems and ways to solve them. The list includes: SQL injection (of course! no\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2019\/02\/security.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2019\/02\/security.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2019\/02\/security.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2019\/02\/security.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":29060,"url":"https:\/\/mamchenkov.net\/wordpress\/2018\/12\/10\/advanced-web-security-topics\/","url_meta":{"origin":14486,"position":2},"title":"Advanced web security topics","author":"Leonid Mamchenkov","date":"December 10, 2018","format":false,"excerpt":"\"Advanced web security topics\" blog post goes over a variety of ways that a web application can get p0wned.\u00a0 Some of these include: Cross-site scripting (XSS)Mime-type attacksA variety of injections - SQL, JavaScript, HTTPURL indexingClick-jacking... and more.","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2018\/12\/mime-types.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":28501,"url":"https:\/\/mamchenkov.net\/wordpress\/2018\/04\/19\/useful-payloads-for-security-testing-of-web-applications\/","url_meta":{"origin":14486,"position":3},"title":"Useful payloads for security testing of web applications","author":"Leonid Mamchenkov","date":"April 19, 2018","format":false,"excerpt":"This article (in Russian) lists a number of useful payloads (and some tools that work with them) for security testing of web applications.\u00a0 Below is the list of handy GitHub repositories for web server path testing, cross-site scripting, SQL injection, and several other common types of vulnerabilities.\u00a0 These payloads are\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":15565,"url":"https:\/\/mamchenkov.net\/wordpress\/2011\/09\/21\/microsoft-vulnerability-now-served-with-plain-text-files\/","url_meta":{"origin":14486,"position":4},"title":"Microsoft vulnerability, now served with plain text files","author":"Leonid Mamchenkov","date":"September 21, 2011","format":false,"excerpt":"It is the year 2011 and we learn that even opening plain text files in Microsoft Windows is not as safe as you thought. The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":26303,"url":"https:\/\/mamchenkov.net\/wordpress\/2016\/08\/03\/kali-tools-linux-distribution-for-penetration-testing\/","url_meta":{"origin":14486,"position":5},"title":"Kali Tools – Linux distribution for penetration testing","author":"Leonid Mamchenkov","date":"August 3, 2016","format":false,"excerpt":"Kali Tools - a special purpose Linux distribution for performing penetration testing. \u00a0A long list of tools is split into the following categories: Information gathering Vulnerability analysis Wireless attacks Web applications Exploitation tools Forensic tools Stress testing Sniffing & spoofing Password attacks Maintaining access Reverse engineering Hardware hacking Reporting tools","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"kali tools logo","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/08\/kali-tools-logo.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"jetpack_sharing_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/14486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/comments?post=14486"}],"version-history":[{"count":0,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/14486\/revisions"}],"wp:attachment":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/media?parent=14486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/categories?post=14486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/tags?post=14486"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/keyring_services?post=14486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}