LastPass - Developer Console Warning Message

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Announcing “BootAble” – GRC's New Boot-Testing Freeware
    Please see the BootAble page at GRC for the whole story.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


Techabilla

Member
Jan 4, 2023
9
2
I ran the JS snippet to extract my vault yesterday but did not notice the following message that now appears:

Stop!

This is a feature for developers and researchers! If you are not a developer or researcher, pasting something here could cause your account to be compromised

Perhaps this has always been there, or then again perhaps it's something new...

EDIT: To be clear, this message is generated by a bit of LastPass JS delivered as 'reqaccts_js_bundle'.
 
Last edited:
The Web Developer console is dangerous if misused, but it has nothing to do with Lastpass. You could get a string messaged to you from a site (email or otherwise) that could, for example, send your Chrome password database to a third party.
 
  • Like
Reactions: StevenW
Try this to export your data:

If you're running the Lastpass plugin in the browser, click the icon for the plugin in the toolbar at the top. Click account. Click fix a problem yourself. Click export vault items. I don't remember what happens next but it should be pretty obvious.

Hope that helps.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: SeanBZA
Drops a csv file into the default downloads directory you have, and BW can import it.
 
Thanks folks. I had no difficulty exporting the vault, I just thought it was interesting that LP put that message in the dev console at some point, and wondered if it was a direct response to either SN904, or Wladimir Palant's original blog post in December. I seem to recall Steve suggesting we should grab the vault as quickly as possible in case LP engineered against the use of the simple JS snippet.

For what it's worth, I'm moving to 1Password since I like the idea of the Secret Key and am happy to pay for what I hope will be good service.
 
As I said, the message is from the browser itself and NOT from LP.

For example: https://forums.opera.com/topic/56011/how-to-remove-the-warning-message-in-dev-console
No - it only appears in dev consoles opened from an active LastPass session (or even the logon screen).

1672967910829.png


Following either of these links leads to a JS bundle...
1672967965279.png


1672969030656.png


... and in the actual code:
1672968052193.png


The minified bundle will download from LastPass (parameter not required) e.g. https://lastpass.com/m.php/reqaccts_js_bundle

If you un-minify, you can find the following clause buried in the middle of hundreds of other definitions:

1672968827611.png


I doubt that the browser is injecting this, and even if it was, what 'account' is it referring to?
 
Last edited:
Well, it could refer to the account of whatever site you're visiting. Kind of like those scam messages we see everywhere now.
Nah. I'm used to working in the Chrome developer console, and this is the first time I've ever seen the message. Plus all the evidence I already posted.
 
Facebook does the same thing. Users are told to copy and paste random JavaScript from the internet to "unlock" special features and their account gets taken over.
 
I think browsers should have a message, sort of like how Firefox has the warning for about:config, at least to use the console. If it weren't for the tech support scammers who will blank your view of the screen to change how things look with your bank account, I'm not sure how to handle the "Don't show again" checkbox. The people who would need to see it are likely the ones who would have that option selected without them ever seeing it because they fell for a tech support scam.