cancel
Showing results for 
Search instead for 
Did you mean: 
jbwarren
Active Contributor

SECURITY ISSUE: Password Fill dropdown options should not be narrowed by partially typed passwords

If I'm on a website with multiple associated username/password items, and I start manually typing a password into the site, the list of items LastPass shows to me in its drop-down is narrowed based on what I've typed. NOTE that this happens even for Items that have Require Master Password Reprompt enabled, and where I haven't recently entered my master password.

This is a significant security flaw in the specific case of Require Master Password Reprompt, and seems like a bad security practice in general. If I've tried to protect an Item with RMPR, someone can get around this by entering partial passwords into a website and seeing which match, gathering valuable information about the password itself. Bad bad bad. I don't like the fact that my "extra protected" passwords are even held in memory in the clear this way - ideally they should be encrypted unless/until the MP is re-entered. But even in general, you shouldn't be indexing the passwords, searching/filtering items based on passwords, showing the results, ... For usernames, great. For passwords - just not good.

0 REPLIES 0