cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
New Contributor

New Security Dashboard allows passwords to be viewed without master password re-prompt

If you click the show button (eye) in the Security Dashboard it will always show the password regardless whether its protected with a repromt or not.
To Recreate:
1. create a password and check the "Require Master Password Reprompt" box in "Advanced Settings"
2.open the Security Dashboard
3.click on "View passwords"
4.navigate to your protected password
5.click on the "eye" in the "Password strength" column

Note:this only works with the browser extension

5 REPLIES 5
Highlighted
New Contributor

Re: [SECURITY] view passwords without masterpass repromt

This is a security flaw. If the passwords are protected through a master password, they must not be accessed at somewhere else within Lastpass. I think they should fix it immediately!

Highlighted
LogMeIn Manager

Re: [SECURITY] view passwords without masterpass repromt

Hi @Aras14 ,

 

Can you please confirm that you are still seeing this issue, I have been unable to recreate it. 

 

Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
Highlighted
New Contributor

Re: [SECURITY] view passwords without masterpass repromt

Hi @GlennD 

Yes, unfortunately, this issue is still there! Follow the steps and you will be able to see this:

1. Click on 'Open My Vault' in the browser extension

2. On the left, you will find 'Security Dashboard' in your vault

3. If you have any at-risk password, you will get a link 'View passwords', click on it

4. In the new page, you will be able to view all your passwords.

 

NOW, HERE IS THE SECURITY FLAW

 

Regardless of whether a password is protected through 'Master Password Reprompt' or not, you will be able to see each and every password by clicking on the eye icon. So, what is the objective behind the 'Master Password Reprompt', if somebody still can access the password from a different location!

 

I think this is a huge flaw in Lastpass, especially for shared computers.

Highlighted
LogMeIn Manager

Re: [SECURITY] view passwords without masterpass repromt

Hi,

 

A ticket has been created for this issue and the team informed. I will update this thread when there is new information to share.

 

 

Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
Highlighted
Active Contributor

Re: [SECURITY] view passwords without masterpass repromt

Is there an update to this ticket?

 

Paul