Seems to be a back-end fix: 3.x is the release version, and 4.x the development version. But soon (April 2017) they will only offer 4.x in the Mozilla Addon-On Library and on the Lastpass-website (to cause less confusion for some LastPass users):
This seems already fixed. All free of charge for lastpass, go go Travis... https://twitter.com/taviso/status/844574176165822465 https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html/?utm_source=TWITTER&utm_medium=social&utm_term=Customer Serviced-tAnswering CS&utm_content=20170322d-t20170322152929
Agreed, LastPass is one of the most responsive vendors of any kind where security issues are concerned. All of the others have issues too, everyone does. This all reminds me, it's time to renew my subscription with them...
LastPass security flaw could have let hackers steal passwords through browser extensions by Colin Lecher.
I have Enpass free as, just in case, backup for KeePass. Enpass free desktop app is easy setup. Enpass runs okay Firefox & Chrome. No harm trying Enpass free. Windows PC free desktop Platform & Pricing here https://www.enpass.io/ & https://discussion.enpass.io/index.php?/forum/4-free-desktop/ *I don't use Cloud Sync.
None of the exploits were 'in the wild' and LastPass's response times were impressive. He's basically helping to lock down LP. The only other time I've seen him say he was impressed with the response time were for Kaspersky. This below was at noon eastern time today.
Agreed. There has only been one significant attack against LastPass in the years I've been using it; their response was fast and professional, and I feel that's the most important thing. The time to run the other way is when security vendors deny the breaches and the vulnerabilities in their products
That should contain the latest fixes: https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html/
Unfortunately they seem to have broken the Firefox plugin. I can't get it to install, either from their installer or the website. The only place I can get it is from the Firefox addon site, and it is version 3.3.4 as stated above.
You could install the development version 4.1.36a from the Firefox addon site. It is the same xpi that you get from their website.
Actually what I ended up doing was going to the LastPass site with IE, downloaded the Firefox .xpi file and saving it with IE, then I dropped it into a running Firefox window. Sadly that works where trying to download it directly with Firefox does not.
Don't you think there would be reports from users if there had been data loss? Sooner or later breaches become public.
Perhaps later? But seriously, the point that Palant rightly made was that there is no way that Lastpass could know if data loss has really happened (as their servers are not affected) - altough they give that impression. But the probably even more important point is: Palant is undoubtedly a very experienced add-on author who knows what he's doing. So if he critisized design flaws in the Lastpass add-on months ago - exactly the ones which were later found as vulnerabilities by Tavis Ormandy - this should have been taken seriously. But obviously nothing happened. So this raises the question: Didn't the Lastpass guys read what Palant wrote - or don't they know what they are doing? I've been a long-time (paying!) Lastpass user and still am. It's still installed in my browser but I'm using Keepass now. I seriously consider to completely get rid of Lastpass altough I've always defended them in the past.
I don't know why LastPass didn't take a serious look at Palant's analysis. At least they responded Tavis Ormandy. I agree that it doesn't inspire confidence when LastPass gives assurances regarding an exploit that doesn't impact their servers. It's a balancing act for security vendors because whenever they admit even the smallest vulnerability some people go nuts and abandon them. I've been using LastPass premium for a long time too, but if they ever start denying and refusing to fix vulnerabilities I will drop them in a heartbeat.
An analysis by a competitor that... surprise...suprise... it is very critical to lastpass design? At least he is trasparent about it. But well... not much to add.
Again - he critisized the design after some other vulnerabilities were reported but before the latest vulnerabilities were detected. Read his blog post from Sept. 2016. His conclusion: Indeed. So his critical remarks are absolutely legitimate.
To clarify: I mean he is transparent about been a developer of a competing password manager . If he wanted honestly to improve lastpass then he should have done like Travis (and the others). Develop a working PoC demonstrating the bug and then reporting it to the manufacturer. Please correct me if I am wrong but I have not seen any concrete PoC in his blog post or reports about having been in contact with lastpass to help fixing the issue.