4

LastPass is a top-rated password manager that comes as a browser extension and uses a master password to encrypt and decrypt the password database using the JavaScript. Is this a secure way of doing? Isn't this approach vulnerable to any web based attack? What can be the attack vectors to be considered while doing this crypt operations using the JavaScript?

Improve this question
8
  • Although I'm also curious about the answer, I'd like to mention that on many platform, Lastpass provides a binary blob which does the actual encryption/decryption work (among other things such as low-level hardware access for 2FA, some details of the functionality are described here : helpdesk.lastpass.com/getting-started/… ). Thus, if JavaScript proves to be vulnerable to attacks, it may be possible to avoid using it in the sensitive parts of the LastPass extension :)
    – Hadrien G.
    Commented Nov 12, 2014 at 8:19
  • 1
    The Same Origin Policy will prevent other domains from accessing the in memory JavaScript objects (plaintext password and hash) and HTTPS will protect the hash in transit to LastPass.
    – SilverlightFox
    Commented Nov 12, 2014 at 11:13
  • but if the current web site is malicious it could access the LastPass data.
    – Curious
    Commented Nov 12, 2014 at 14:35
  • @Curious and if Microsoft/Apple/Richard Stallman/Whomever is malicious they can access all your data too. You can audit the website or the lastpass command line interface to determine how it works and whether or not you feel comfortable using it.
    – user11869
    Commented Nov 12, 2014 at 15:18
  • 1
    @Curious last pass had a press release that the bugs in this paper were fixed long before the paper was published. blog.lastpass.com/2014/07/a-note-from-lastpass.html
    – user11869
    Commented Nov 16, 2014 at 2:27

1 Answer 1

Reset to default
1

Lasspass is a browser plugin and is not vulnerable to MITM attacks to its javascript the way that a website is. The plugin resources are not installed the same way that a website requests its javascript files via http requests.

Javascript is not inherently more vulnerable to attacks other than the nature by which the code is requested and loaded. (MITM)

It can however be considerably slower than native code (internet explorer), but it can also be considerably faster than native code implementations (Chrome's V8 engine).

From LastPass's website login, the valid HTTPS certificate authenticate's the resources loaded by the browser. Certificate authenticity can be confirmed by looking to the left of the website address at the top of the window.

Same Origin Policy along with SSL prevents malicious iframes from hijacking any javascript resources that may be loaded in the child frame.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .