Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT Technology

LastPass Hackers Stole Source Code (infosecurity-magazine.com) 46

New submitter alfabravoteam writes: Password management company LastPass has published information about a security incident. "We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," reads the official message published.

They also clarify that no user data was lost. "We never store or have knowledge of your Master Password," the firm said in an FAQ. "We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers' Master Password", they inform. Hence, no action is required to users to follow.

This discussion has been archived. No new comments can be posted.

LastPass Hackers Stole Source Code

Comments Filter:
  • by nospam007 ( 722110 ) * on Friday August 26, 2022 @04:06PM (#62826353)

    Waiting for VeryLastPass to launch.

    • Yes, because as we all know, once source code is seen, all security is lost. You can't possibly make something secure without hiding the source code. /s

      LastPass stores a blob of data that's encrypted on the client. The only realistic danger resulting from this is if someone manages to more effectively spoof their services, or gains other side-channel attacks. I won't call that insignificant, but I'm not going to lose sleep over it.

      • by AmiMoJo ( 196126 )

        I just don't understand why you would bother with this. There are plenty of offline solutions, with cloud storage support if you need it. Run everything locally, outside the browser.

        • Re: Code stolen? (Score:5, Insightful)

          by jobslave ( 6255040 ) on Friday August 26, 2022 @05:09PM (#62826507)

          Are those "solutions" point-n-click to where your parents or grandparents can handle? If not, then they are not any sort of solution that 90% of internet users can deal with.

        • Re: (Score:3, Insightful)

          by Dutch Gun ( 899105 )

          Every other solution out there I've looked at is a relative pain in the ass compared to it. Right on the webpage, where you actually have to enter your credentials, they're entered for you automatically. If you change your password, LastPass detects it. Add some new credentials? LastPass detects and stores them for you. It integrates seamlessly with 2FA.

          Is it absolutely the most secure solution out there? Probably not, since integration with the browser carries some risk. Is it the most convenient so

          • by bmw ( 115903 )

            Bitwarden? Recently switched and I think I like it better. Is it more of the same thing? Yeah. When it comes down to it, anybody seriously caring about security probably shouldn't store anything that sensitive in the cloud, but it works well for the lazy and non-tech-savvy. :)

          • by tbuskey ( 135499 )

            There have been a number of security issues with LastPass. for example https://www.cpomagazine.com/cy... [cpomagazine.com]

          • Clearly haven't been looking around, then. There's KeePass and its forks, all local stored, easy to set up and with browser plugins.
      • Re:Code stolen? (Score:4, Interesting)

        by bill_mcgonigle ( 4333 ) * on Friday August 26, 2022 @06:31PM (#62826669) Homepage Journal

        I'd be looking for holes in the client-side page parsing code. It's always the parsers.

        Hop through there, grab the unlocked data. Of course you have to entice a user to go to a hostile website but most people will click on anything if you scare them.

  • Until someone feeds the source code through a set of SAST scanners, DAST scanners, and human reviews, finds vulnerabilities and starts exploiting them in the wild, for example by injecting exploits into legitimate and frequently used sites to harvest all user data client-side, in its decrypted state.

  • Password managers (Score:5, Interesting)

    by PCM2 ( 4486 ) on Friday August 26, 2022 @05:14PM (#62826513) Homepage

    I use Bitwarden. Anyone who wants the source code can have it, no hacking required.

    • by gweihir ( 88907 )

      Yep. Closed source is a big red flag in security software. Obviously so.

      • by raynet ( 51803 )

        I thought the browser extension was javascript thus you could read the source?

        • by gweihir ( 88907 )

          Probably obfuscated. At least I deduce from them admitting that the "source was stolen" that you cannot simply download the extension and read it. May also be another language that gets compiled to JavaScript, which usually produces the most awful unreadable mess.

    • And even if one doesn't care about FOSS... Bitwarden's UI is arguably better than that of LastPass. And the cost is lower!

      • by tbuskey ( 135499 )

        And even if one doesn't care about FOSS... Bitwarden's UI is arguably better than that of LastPass. And the cost is lower!

        Bitwarden also has its code professionally audited periodically. LastPass waits for the hackers to do it.

    • No 2FA on the free account....
  • by gweihir ( 88907 ) on Friday August 26, 2022 @05:53PM (#62826593)

    That is "Kerckhoff's principle". Zero knowledge is something completely different. When they do not even get the basic cryptographic terminology right, you should probably stay far away from their stuff....

    • Bingo. LastPass sold out to a questionable company several years ago. It was a good excuse to jump to Bitwarden.

    • From the Wikipedia article entitled "Zero-knowledge service": "The term "zero-knowledge" was popularized by backup service SpiderOak, which later switched to using the term "no knowledge" to avoid confusion with the computer science concept of zero-knowledge proof."

      • by gweihir ( 88907 )

        Well, SpiderOak misusing the term before does not make it any better. At least they fixed their mistake. Incidentally, the term "zero knowledge" is not only used in connection with "proof" in cryptography. Seems that Wikipedia article was not written by a cryptography expert.

    • by WoLpH ( 699064 )

      I've been using KeePassXC for a while and have been very happy with it. In my experience it's been better than Bitwarden and having everything Open Source is very nice as well

      • by gweihir ( 88907 )

        Well, there is really no sane reason to use anything closed-source and/or commercial for this task. Some people have a mistaken belief that commercial closed-source is somehow more secure though. There are always plenty of people disconnected from reality and this is just one more group.

    • by richi ( 74551 )
      Aren't they talking about a zero-knowledge password proof [wikipedia.org]? They probably use something like SRP. It would be extraordinarily picky to say that's not ZK. Sure, it's Kerckhoff, but ZKPP is part of how they achieve it.
  • Ah yes, SaaS security. Biggest worst single point of failure imaginable.

  • Exactly why I donâ(TM)t use online password services. I use keypassxc + keypassxc chrome plugin + strongbox for iOS. Sync everything with google drive. I have a random password for keypassxc that I donâ(TM)t even remember I enter by long pressing my security key. It sounds complex but it all works well together
    • Similar setup, except I use the Firefox plugin + Syncthing to keep everything synced up. Database is password + security key, so there's 2FA for the master database, too.
  • It is not like what LassPass does is a wonder of modern engineering.
  • Lastpass still has a copy.
    • That's a very interesting point. No mod option for "Funny,,, no, wait... clever... no... clever enough to be more funny".

      If it wasn't stolen, can it be considered hacked? And if this is stolen, how is it different that the source was behind a firewall and not behind an encryption scheme?

  • by RegistrationIsDumb83 ( 6517138 ) on Friday August 26, 2022 @08:47PM (#62826847)
    Reminder that LastPass shares and monetizes your metadata (urls). This is their business model to monetize free users. If you like privacy, use something else.
  • Built on GPG, works with standard text files, supports GIT to share between clients and it has a client for every O/S

    "Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management ut

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...