:strip_exif()/i/2000899084.png?f=thumbmini)
/u/57387/claimedavatar-70.png?f=community){kind=avatar}
Ik heb geprobeerd een beveiligingslek aan te te kaarten bij de LastPass.
Het antwoord wat ik kreeg is:
Nou denk ik dat ze mijn stappen plan niet goed begrijpen. Ben ik nou zo onhandig geweest?
En eigenlijk is de oplossing simpel, verifieer het e-mailadres bij registratie.
Het antwoord wat ik kreeg is:
Wat ik eerst had gestuurd was:Hello,
That is something we are aware of and something that we disclaim to our users in the user manual here: https://helpdesk.lastpass.com/sharing-4-0/#h3 and here:
https://enterprise.lastpass.com/shared-folders/#h8
Ultimately, this is a limitation not with LastPass but with browsers in general. Our solution is a simple way to block passwords from users but there is not much to do if one does have knowledge of how to use developer tools or edit the page source. Once the data (any data) leaves LastPass, it is outside of LastPass' control. It would be the same as if you input data yourself by manually typing it in, and then doing the same thing to reveal it. If you are not comfortable sharing with certain users, don't share with them. We apologize for the inconvenience.
Toen ze dat niet begrepen, stuurde ik dit:Greetings,
It is possible to create a LastPass account with any email address without verification.
This way it is possible to register accounts like "info@lastpass.com" if they don't exist yet.
Then, when someone wants to share passwords and fills in "info@lastpass.com" the phishing account receives the passwords.
The original owner of "info@lastpass.com" can't create an account nor it can take over the compromised account nor it can report the problem easily.
Secondly: it is not possible to see shared passwords by default (ERROR: This is a shared site. You are not permitted to view the password.)
Yet it is possible to intercept the password on HTML forms by inspecting the form password element's value or log the POST request.
Therefore anyone could circumvent the security measures that LastPass has.
For further information you may contact me in Dutch and English.
This report will be made public within 3 months when no contact/solution is made in this period.
In mijn ogen leek het duideijk dat je zomaar een account kan aanmaken met iemand anders zijn e-mailadres.i will try to explain the problem in clear steps:
H = hacker
U = user with email address user@lastpass.com
1. U has no account on lastpass.com
2. H creates an account on lastpass.com with email address user@lastpass.com that belongs to U
3. H waits untill someone wants to share passwords with that email address
4. when that happens, H accepts the share through lastpass dashboard
5. H uses the LastPass plugin in the browser using U his email address
6. H opens the login screen of the shared website in his browser
7. H logs the network traffic (browser debugger is sufficient)
8. H logs in on the compromised shared credentials
Nou denk ik dat ze mijn stappen plan niet goed begrijpen. Ben ik nou zo onhandig geweest?
En eigenlijk is de oplossing simpel, verifieer het e-mailadres bij registratie.
Maak je niet druk, dat doet de compressor maar
/u/98547/crop5db2a7ff7f697_cropped.png?f=community)
/u/28468/librarian2.png?f=community)
