Despite security revisions, the secrecy of your passwords may still be at risk with LastPass

Heartbleed LastPass
LastPass is what’s considered a single sign-on service, or SSO. It compiles all of your passwords into a single vault that can auto-fill forms at any time. It’s convenient, saves time, and is allegedly more secure than the alternative — typically using the same password for everything.

Security researchers have determined, however, that LastPass is far from perfect. It has been found to contain the types of holes that any amateur hacker could have a field day with. Given the proper tools, user data could have easily gotten into the wrong hands, revealing myriad private login credentials and leaving them vulnerable to a host of dangerous exploits.

This news comes by way of Martin Vigo, self-proclaimed “security geek,” who recently shared his findings at the Black Hat Europe conference. Speaking alongside Alberto Garcia Illera, Vigo provided vivid instructions for getting around LastPass’ security in a demonstration of just how easy it is to get through.

The two sales force security engineers outlined several holes in the service’s security protocols, both from the outside and from within using the client or server. Locally, the experts were able to get past the two-factor authentication in LastPass using a locally stored plain text token. By doing this, Vigo and Illera were able to trick the password recovery feature, in turn managing to exploit session cookies, though other procedures ensued.

Most worrying for loyal LastPass devotees, however, is that by installing a few lines of JavaScript code, cybercriminals could theoretically rob users of their usernames and passwords.

For obvious ethical reasons, all of these discoveries were immediately reported to LastPass, and the firm made some quick modifications to its security protocols. Unfortunately, as David Bison pointed out on security consultant Graham Cluley’s blog, this problem is likely not exclusive to LastPass. Rather, numerous other SSO clients probably experience the same central flaws.

On a brighter note, if you’re currently using an SSO client, it’s probably still safer than not using one at all and, say, making all of your passwords the same, easy-to-guess word. In a Tom’s Guide article, journalist Marshall Honorof writes that cracking the LastPass code would actually be quite the challenge for many cyber thieves, unless they’re able to take control of the user’s server or the device itself. Because of this, most hackers would opt for other means of password theft. Nevertheless, it’s still a concerning matter considering LastPass is used by thousands of organizations globally.

Of course, as we reported on earlier this year, LastPass was the victim of a massive data breach back in June. Perhaps even more distressing, the SSO service was purchased just last month by LogMeIn, a major SaaS (software as a service company) that underwent a data breach of its own last January.

This is the second consecutive year in which this same pair of engineers has discovered some loose strings in the LastPass code, making it painfully easy to get past its ostensibly tightly concealed vault doors. We can only hope these findings will motivate LogMeIn to improve its situation rather than making LastPass even more susceptible to threats.


New ‘Battlefield V’ patch gives Nvidia’s ray tracing support a chance to shine

‘Battlefield V’ is the first game to use Nvidia’s ray tracing support, now available with the RTX 2080 and 2080 Ti graphics cards. The feature can, in an ideal scenario, make the game look better, but the performance hit may not be…

Quora hit by data breach affecting around 100 million users

Question-and-answer website Quora has revealed that hackers may have stolen data belonging to 100 million of its users. The recently discovered security breach is still being investigated, and Quora is contacting affected users.

Changing file associations in Windows 10 is quick and easy with these steps

Learning how to change file associations can make editing certain file types much quicker than manually selecting your preferred application every time you open them. Just follow these short steps and you'll be on your way in no time.

Intel's dedicated GPU is not far off -- here's what we know

Did you hear? Intel is working on a dedicated graphics card. It's called Arctic Sound and though we don't know a lot about it, we know that Intel has some ex-AMD Radeon graphics engineers developing it.

Edit, sign, append, and save with six of the best PDF editors

There are plenty of PDF editors to be had online, and though the selection is robust, finding a solid solution with the tools you need can be tough. Here, we've rounded up best PDF editors, so you can edit no matter your budget or OS.

How to easily record your laptop screen with apps you already have

Learning how to record your computer screen shouldn't be a challenge. Lucky for you, our comprehensive guide lays out how to do so using a host of methods, including both free and premium utilities, in both MacOS and Windows 10.
Product Review

It's not the sharpest tool, but the Surface Go does it all for $400

Microsoft has launched the $400 Surface Go to take on both the iPad and Chromebooks, all without compromising its core focus on productivity. Does it work as both a tablet and a PC?

From beautiful to downright weird, check out these great dual monitor wallpapers

Multitasking with two monitors doesn't necessarily mean you need to split your screens with two separate wallpapers. From beautiful to downright weird, here are our top sites for finding the best dual monitor wallpapers for you.

Capture screenshots with print screen and a few alternative methods

Capturing a screenshot of your desktop is easier than you might think, and it's the kind of thing you'll probably need to know. Here's how to perform the important function in just a few, easy steps.

These cheap laptops will make you wonder why anyone spends more

Looking for a budget notebook for school, work, or play? The best budget laptops, including our top pick -- the Asus ZenBook UX331UA -- will get the job done without digging too deeply into your pockets.

Vanquish lag for good with the best routers for gaming

Finding the best routers for gaming is no easy task. With so many out there, how do you know which to pick? We've looked at the many options available and put together a list of our lag-free favorites.

Stop your PC's vow of silence with these tips on how to fix audio problems

Sound problems got you down? Don't worry, with a few tweaks and tricks we'll get your sound card functioning as it should, and you listening to your favorite tunes and in-game audio in no time.

These Raspberry Pi 3 bundles will cover everyone, from coders to gamers

The Raspberry Pi 3 is a low-budget computing platform capable of doing just about anything. We rounded up a handful of the best Raspberry Pi 3 bundles to get you started on a variety of DIY projects.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Folding canoes and ultra-fast water filters

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!