I have been using LastPass ( https://lastpass.com/ ) password manager for a while. Recently I discovered the following flaw (which I consider a potential security threat and proof of bad design). It is reproducible:
- Install the LastPass firefox plugin
- login to your LastPass account
- save the credentials of a website on LastPass and click the option to automatically login
- go to your LastPass account settings and change the email of your account. Your email is also your username
- restart the browser
- go to the website’s login page, the credentials of which you saved on LastPass on step 3
- click on your LastPass firefox plugin button, and give the old-invalid email as username and try to login.
- an error message will popup from LastPass informing you the login to your LastPass account failed.
- even so, LastPass will log you in automatically to the website, auto-filling your credentials.
To sum it up: login to your password manager’s account fails, but it still gives you access to stored credentials.
Yes, you need to know the previous email address and the password, but it is STILL bad, at least from my point of view.
Can you also reproduce this behavior of LastPass? You are more than welcome to leave a comment bellow.
Oh, and what I mentioned above is not the biggest “bug” of LastPass. The real bug is the following: After discovering the above, i went to LastPass’ webpage, hoping that since LastPass is a security related app, I will find a huge, red, flashing button on the top of the page saying “Report Issue”.
I looked for that button for a couple of minutes, and I didn’t find one. That is the biggest flaw of LastPass from my point of view.