LastPass: design flaw in communication to privileged components

Agree with the comment that the blogger doesn't understand what phishing is. This could be done against a huge number of people through various approaches with ad network code or targeted attacks controlling path to internet. That's all setting aside how trivial it would be for nation states.

So this post says<p>&gt; We have verified that intercepting messages via the method you suggested is possible and is a problem. We have also verified it only affects firefox (chrome, ie, safari, opera, etc do not use the window for message passing in the same manner) and doesn&#x27;t affect our primary addons.mozilla.org firefox download (which is still 3.0 version).<p>It seems latest version for windows is 4.1.20a? As I&#x27;m both linux and firefox user and there have been 2 password stealing exploits revealed I would very much like to know if this affects me (my version seems to be 3.3.1). Is there any version history that I could check or does anyone know what versions are affected by these 2 exploits?

So, I&#x27;ve been using Lastpass for a few years now and I probably rely on it too much. Every single login has a unique and strong password so it would be a pain to have to move away.<p>I use a Yubikey that&#x27;s required when I log into a new PC (my home pc is set to only ask every 30 days for my 2FA key), I use an email that is only connected to Lastpass and I have a strong passphrase. Any other device I use Lastpass on is set to require a password and 2FA key at each start.<p>Is that enough to make me reasonably secure?

Has LastPass ever subjected their code to a proper, outside security audit in a form tptacek would endorse?

This is not the same as <a href="https:&#x2F;&#x2F;labs.detectify.com&#x2F;2016&#x2F;07&#x2F;27&#x2F;how-i-made-lastpass-give-me-all-your-passwords&#x2F;" rel="nofollow">https:&#x2F;&#x2F;labs.detectify.com&#x2F;2016&#x2F;07&#x2F;27&#x2F;how-i-made-lastpass-gi...</a> is it?

I wonder how the Citrix acquisition&#x2F;merger will affect LastPass, especially some of the security aspects.

Password managers exchange a strong secret, something you know, for a weak one, something you have. Once an attacker gets to your database you&#x27;re completely owned. When they compromise a normal password the damage is more contained if you maintain reasonable security practices.