Max

Stolbynsky

IT manager. Consultant. Cloud architect.


Marginalia

This is a place where i would like to share some side notes about my life, thoughts and ideas. All listed below is my personal opinion and open for discussion. You can find there some different sides of my life and do not confuse if found something in-mixable. Life is really interesting thing and includes various sides.

New Google authentication + LastPass = potential security issues

October 30, 2013Max Stolbynsky0 Comments

Many people use LastPass plugin to store the site credentials. It is really useful and i’m using it for bunch not-sensitive logins. It worked well with google before they recent login page update.

So story is following. I’m using sometimes customer’s login/pass to manage some google services. And I did it today. Then at evening i went to the flickr to upload some photos. There is optional oauth via google and i’m using it. As usually it pops up my face, LastPass pre-fills pass, I press Sign In…. and appear on the Signup form with pre-filled CUSTOMERS name and address. What the hell? Cookeis? Ok! Press logout. Login to gmail with my ¬†email and pre-filled pass… and again – CUSTOMER’s mailbox!!! Ok… Clear all cookies and local storage. Try again – same case. Go to safari without LastPass and login successfully!

After this i started research reasons of so strange situation and found this:

google-lp

 

 

In fact google prints email as label but ALSO this form has invisible input. LastPass do not recognize it is hidden and fills it.

Use can see only hidden password and of course has no any idea that he logging in now under completely different account.

Same situation can happens with google pay and other services.

So my advice – be careful with LastPass on google sites.


Leave a Reply