Main Area and Open Discussion > General Software Discussion

Pale Moon as my browser due to the wonderful extensions

<< < (2/2)

Steven Avery:
FYI:
It does seem that LastPass may be problematic with Pale Moon and similar.  The last one referred to as compatible was 3.3.4 but there is some sort of vulnerability involved. And since this is a delicate area, I will just use LastPass from the Taskbar and/or Desktop capabilities.

cyberdiva:
Steven,

Yes, I think you're right that the last version of LastPass to work with  Pale Moon is 3.3.4. That's what I have on my computer, and it seems to work well. What sort of vulnerability does using it involve?

Steven Avery:
Good question.  I decided to study this out.  3.3.4 is retired, and may contain a vulnerability.

Here there is some description, starting with an earlier vulnerability in 3.3.2.

LastPass releases fix browser extension security flaws
March 23, 2017
https://www.computerweekly.com/news/450415398/LastPass-releases-fixes-browser-extension-security-flaws
"Users can also update to Firefox 3.3.4, however, as we noted previously, the 3.x version of LastPass will be retired in the coming weeks.”

LastPass has fixed three bugs in the password manager discovered by Google research Tavis Ormandy in the last 24 hours.
March 22, 2017
https://threatpost.com/lastpass-fixes-ormandy-rce-bug-two-outstanding-vulnerabilities-remain/124471/
"LastPass incorporated a fix for that vulnerability into version 3.3.4 of the add-on, released Wednesday morning. Firefox users should be automatically updated to the latest version, Ormandy said."

Discussion of the Ormandy-LastPass interactions:
Threatpost - March 22
LastPass Fixes Three Password Theft Vulnerabilities
https://threatpost.com/lastpass-fixes-ormandy-rce-bug-two-outstanding-vulnerabilities-remain/124471/

=====================

This whole discussion is good, the extract is from the last quote.

LastPass Bug
Bogleheads
April 1, 2017
https://www.bogleheads.org/forum/viewtopic.php?t=215129

MudPuppy
There have been several attacks over the years against browser extensions for LastPass specifically and other password vaults in general. In most cases, this involves somehow fooling the browser extension into thinking you are on XYZ website, when you are actually on ABC website. By using the browser extension to have the convenience of automatically logging in to a site when you visit it, you've opened yourself to the risk that the browser extension is tricked this way.

The simplest solution is to just not use the browser extensions for a password vault. Take the extra 30 seconds to manually cut-and-paste the password from the vault into the website when you want to log in (or the extra minute to manually type it out). Then you don't have to worry about browser extensions being fooled, you just have to worry about you being fooled (e.g. phishing or other social engineering).

========================

Tavis Ormandy on Twitter
https://twitter.com/taviso

========================

While it says there that the problem was in 3.3.2 you have this:

Is Fx extension 3.3.4 affected by the latest vulnerability?
April 7, 2017
https://forums.lastpass.com/viewtopic.php?f=12&t=252675
"YES 3.3.4 is affected"

Not sure if that is true, it may have been an extrapolation from:
"All of your LastPass browser extensions should be updated to version 4.1.44 or higher"
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

Pale Moon Forum
PM 27.2.0 not allowing CRITICAL update to LASTPASS
https://forum.palemoon.org/viewtopic.php?t=15223
Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.

Major Geeks wonders if 3.3.4 has vulnerabilities
https://forums.majorgeeks.com/threads/password-manager.316936/

Reddit back and forth, how quick was Lastpass, and no clear indication on 3.3.4
https://www.reddit.com/r/programming/comments/621p81/developers_of_the_widely_used_lastpass_password/

Wilders
https://www.wilderssecurity.com/threads/password-manager-discussion.372873/page-13

Mozillazine
https://discourse.mozilla.org/t/why-are-you-serving-a-vulnerable-lastpass-version-3-3-4/15380/6
http://forums.mozillazine.org/viewtopic.php?f=3&t=3029141

A competitor attacks LastPass
https://palant.de/2017/03/23/lastpass-security-done-wrong/

==========================

POSSIBLY 3.3.4 IS VULNERABLE - THIS IS A SECOND THINGY

Security Update for the LastPass Extension
March 27, 2017 - updated March 31
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

TavisO finds yet another LP code execution exploit
https://forums.lastpass.com/viewtopic.php?f=6&t=251065&start=10
This may effect 3.3.4.
All of your LastPass browser extensions should be updated to version 4.1.44 or higher

================================

cyberdiva:
Thanks very much, Steven, for the detailed information. I knew a small part of this, but not most of it. I'm a little unclear about a way around this. I always access LastPass through the browser. So even if I were to go to LastPass, copy my password, and paste or type it in, wouldn't my accessing LastPass through the browser (via the little red icon in the upper right corner) also be problematic?  I mean, I type my master password in order to access my vault in LastPass. Or is it just somehow the LastPass mechanism in 3.3.4 that makes me vulnerable? 

Navigation

[0] Message Index

[*] Previous page