Lastpass sign in5/1/2023 ![]() ![]() This means that with proper configuration, even requesting a malicious PHP file shouldn't actually execute it and instead hit the framework which will promptly respond with a 404 (of course, with PHP the danger is that in case of misconfiguration the server may still prioritize an exact path match and execute the file rather than defaulting to executing the framework's entrypoint, where as other languages typically don't rely on the webserver to execute the files and couldn't run a malicious file even if they tried).īut these stupid legacy applications are still around and haven't been updated to fix this design flaw, so any flaw in sanitizing uploaded files turns into a persistent RCE. In most proper frameworks, including PHP ones, the only thing responding to web requests is an entrypoint file (that gets passed the request metadata including URL) and the framework takes it from there. Welcome to frameworkless PHP where code & user files are stored in the same root and any PHP file requested by a web client is executed by the server. A true MITM won't even have to brute-force the hash.Ĭonclusion: Might do harm, will do little good. Lastly it's virtually the same as plaintext, since any salt will be known by even just a passive attacker. If you need to lock someone out while their phone is beeping at them over their bank account being emptied, while not even making it look like their password was changed, that sounds like a fun way. For many sites this means downgrading to single-factor.Īny hash upgrade mechanism can be abused by a (possibly MITM) attacker to change a user's password while leaving you and the user none the wiser that specifically this occurred. It's also impossible to recover from without relying on another form of authentication to re-establish trust. Ī weakness in your clientside hashing will make your site weaker to brute-force attacks, since it will reduce the number of hashes (or passwords) an attacker has to try (collisions in client-side hashes will too, but very negligibly for a good hash function). If you do opt to use the binary download, make sure to validate the authenticode signature like so. ![]() However, we do recognize that this may be beyond the means of all security-minded folk out there looking to make the switch, so we are providing signed binaries available for download. I just revisited that link I shared, and I have to say, it takes some real chutzpah to turn around and accusing me of advising insecure practice when the link I shared literally talks about just that:ĭue to the nature of this application, □□ □□□□□□□□ □□□□ □□□□□□□□ □□ □□□□□□□□ □□□ □□□□□□ □□□□, review it quickly, and compile it yourself to use this tool. NET executable, which is ridiculously easy to reverse-compile back to C# (not just assembly) so you can even check that I'm distributing an exe that does the same thing as the code I published. It's very short and simple and rather easy to review. There was no 1Password to LastPass importer at the time I wrote that (believe me, I looked because I have better things to do than write apps to benefit a commercial entity like agilebits otherwise), and of course the code is published on GitHub and released under the MIT license. There are 2 separate users in the thread below confirming that the same exact same thing happened to them, from the exact same IP range as me.Įither the 3 of us had the same malware/Chrome extension or somehow had our master passwords compromised.? Or.? Is this a LastPass issue? I also talked to LastPass support over the phone, and they confirmed seeing the same information. the email was truly not phishing - the same information regarding the login attempt appears in my LastPass dashboard. ![]() That's scary too - what's the point of a 2FA you can remove.? The LastPass account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore). was the login attempt actually using my master password? Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass.? If that's the case, I'm in a world of hurt.īut are there any other possibilities? Is the email from LastPass accurate i.e. I can imagine that someone has my KeePassX file and the (completely different) password to this file. What troubles me is that the master password was stored in a local encrypted KeePassX file. The email doesn't look like it's a phishing attempt. ![]() According to an email I received from LastPass, this login was using the LastPass account's master password. LastPass blocked a login attempt from Brazil (it wasn't me). I've just had a bizarre thing happen and wanted to see if the HN community could come up with some theories as to what happened. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |