undefined | Better HN

0 pointstedmiston8y ago0 comments

To start, the LastPass browser extension auto logout feature has critical bugs. I've come back to my computer after several days and found it still logged in with full access to the vault (no master password re-entry required) even with auto logout set to 15 minutes of inactivity. After that happened several times, I lost trust in the product.

0 comments

2 comments · 1 top-level

shampine8y ago· 1 in thread

There is also a serious bug regarding 2FA. There is a race condition where if you know a users master password you can bypass 2FA for 1 single login.

Apparently someone commented below that is a documented "feature". Wow.

giovannibajo18y ago

It's a "feature" because it relies on a local cache. So it means that the attacker must be using your own unlocked computer (which contains the cache) to bypass 2FA through this "race"; and in that case it might as well install a key-logger instead or worse. The worse it can be said is that it is very confusing and breaks the usual pattern of what "logging off" means, but users should be taught to lock their computer, not log off stuff hoping not to leave nothing behind.

j / k navigate · click thread line to collapse