Hi all, thought I'd share something that occurred to me after Tavi Ormandy's blog about password mangers and then hearing Steve's episode.
One of the biggest risks with the extension aspect of a PM like lastpass is that it is injecting JS on all pages you go to and in turn giving every site a potential opportunity to exploit that code. It seems to me this can be mitigated by setting the extension in chrome "This can read and change site data" (done by right clicking the extension icon in chrome) to "When you click the Extension". Sidenote: this is actually also a great setting for extensions you don't fully trust and rarely need.
Thus anytime you need extension to fill a login or CC you have to click the extension button which then does require you to reload the page but it ensures you only put the extensions JS on sites you intend to log into.
I have tested this with lastpass for past couple of weeks and it works pretty well. It does make it not feasible to just click the icon on any page (without then reloading the page) and search for something like a note which I would do so instead I have switched to using the native app on my OS for things that are not actually related to the page I am on. Also any new tab you open that is blank actually has the extension loaded already (it unloads when you navigate to any site in that tab as this is a per tab and per domain click to activate requirement) so you can do that to use it to find a site you want to open.
This would not mitigate all concerns and having the LP extension logged in at all in any chrome tab probably puts it one step closer to exploitation by any site but this should cover some of the CVEs Tavis previously found with lastpass such as https://bugs.chromium.org/p/project-zero/issues/detail?id=1225
One of the biggest risks with the extension aspect of a PM like lastpass is that it is injecting JS on all pages you go to and in turn giving every site a potential opportunity to exploit that code. It seems to me this can be mitigated by setting the extension in chrome "This can read and change site data" (done by right clicking the extension icon in chrome) to "When you click the Extension". Sidenote: this is actually also a great setting for extensions you don't fully trust and rarely need.
Thus anytime you need extension to fill a login or CC you have to click the extension button which then does require you to reload the page but it ensures you only put the extensions JS on sites you intend to log into.
I have tested this with lastpass for past couple of weeks and it works pretty well. It does make it not feasible to just click the icon on any page (without then reloading the page) and search for something like a note which I would do so instead I have switched to using the native app on my OS for things that are not actually related to the page I am on. Also any new tab you open that is blank actually has the extension loaded already (it unloads when you navigate to any site in that tab as this is a per tab and per domain click to activate requirement) so you can do that to use it to find a site you want to open.
This would not mitigate all concerns and having the LP extension logged in at all in any chrome tab probably puts it one step closer to exploitation by any site but this should cover some of the CVEs Tavis previously found with lastpass such as https://bugs.chromium.org/p/project-zero/issues/detail?id=1225