This LastPass bug could reveal your password on the MacBook Pro’s Touch Bar

By on

lastpass-vuln

If you happen to use LastPass and have the brand new MacBook Pro with the Touch Bar, then we suggest you avoid using the macOS app for the time being. Why? You could be at risk of revealing your master password when logging into the service. In other words, you could accidentally reveal the password to access all your passwords.

And yes, that is very scary news indeed.

First revealed by Twitter user @luke_dot_js, the bug lies with how the LastPass macOS app handles passwords when you log in. Instead of using the native password field in macOS, it appears that LastPass is using a standard text field and masking the characters with bullets.

And because macOS sees it as a text box and not a password field, the Touch Bar will then suggest spelling options or reveal your password.

It should also be added that if you are also a LastPass user who doesn’t have the Touch Bar, TechGeek can confirm that this vulnerability on the macOS app will still affects you. While your password will not show up right away (like on the Touch Bar), right clicking on the text box will reveal your password – as seen in the image below.

screen-shot-2016-11-21-at-2-52-10-pm

Now, before you go jumping ship from LastPass, we should also add that this only affects the macOS desktop application. At the time of writing and according to reports on Twitter, this security flaw does not affect its browser extensions.

https://twitter.com/mpanighetti/status/799740870819885056

LastPass have said on Twitter that their developers have reviewed it and noted that they could “make improvements” – that is, fix the damn security flaw and use the native password field. Hopefully they make the fix as soon as possible.

H/T Chris Morris

Join the Conversation

  • IT Enquirer

    This is the third major security stuffup by Lastpass.
    I feel sorry for the sheeple who are still using it.

    I switched to Keepass a few years ago and have never looked back.
    It stores my data locally and handles passwords for any window in any app.
    And it is free.

    • Anthony

      I left them a while ago. Always had bugs on their Android client and a headache to get through layer 3 support to actually fix them…

      One of the layer 1s tried to say accepting a share on the Android app was not supported even though it was a feature right there in the app.
      (Please at least acknowledge it’s a bug, say you’ve logged it and here’s work around X, instead of just giving me a workaround)

      I just left after being tired of troubleshooting their bugs, until I got to someone competent.

      Guys I’m a dev, I know what I’m talking about, wish I had a direct line.