1688432 - Login Info Shared Privately through Last Pass Add On is being populated in Firefox Lock Wise account

Status: RESOLVED INVALID

(Toolkit :: Password Manager, defect)

Description

[TA]

Attachment: Firefox Bug.docx

• Summary: Login Info Shared Privately through Last Pass Add On is being populated in Firefox Lock Wise account
• Component: Firefox Lock Wise
• Version: Firefox 82.4.2 64bit
• OS: Windows 10 Home, Version 1909, OS Build 18363.1316
• Description: Login Info and Passwords Shared Privately through Last Pass, Firefox Add On, is being populated in Firefox LockWise account
Steps to Reproduce:

1. Log into Firefox Browser
   2)Log in to Last Pass add on
2. Open Last Pass Vault / Open Shared with me / Choose an accepted share
3. Click Launch on Shared Login
4. When the webpage opens Firefox Lockwise will offer to save the log in info
5. You will be able to view and copy the privately shared log in info including password
   • Actual Results: Reproduced 3x. I was able to see and copy the privately shared password and login info
   • Expected Results: Shared Login info should be populated on the webpage but remain private and secured. It should not be able to be viewed, copied, or saved, in the Firefox Lockwise account

Original document information
• Author(s): Tamara Austin
• Date last modified: January 23, 2021 at 5:59 pm EST

Comment 1

[:Gijs (he/him)]

(In reply to TA from comment #0)

• Expected Results: Shared Login info should be populated on the webpage but remain private and secured. It should not be able to be viewed, copied, or saved, in the Firefox Lockwise account

This is not possible. As soon as lastpass (or any password manager, or any other actor - user, website, etc.) fills the webpage form, its value is accessible to the webpage and the user, e.g. via the browser's developer tools, a "reveal password" UI provided by the browser or website, a bookmarklet, etc. This is the case in just about any web browser, not just Firefox.

The fact that it is the last pass add-on which fills the form, and that it may or may not want the user to have "access" to the actual password, is not visible to Lockwise - it has no idea who put the password in the password field (the user, an add-on, or even the website itself), and thus cannot change its behaviour accordingly.

Reading https://blog.lastpass.com/2016/01/tips-for-securely-sharing-passwords/ , at no point do lastpass claim that the person you're sharing it with does not get access to the shared password - and in fact, the person you're sharing it with can change it, too -- just like they could use the shared credentials to change the actual password on the account. The reality of this is somewhat hidden in the small print, e.g. at https://support.logmeininc.com/lastpass/help/use-the-sharing-center-lp020007#task_u2r_h42_jmb, where the last section "About hidden passwords for shared items" says:

When you share an item, regardless of whether you enable the "Allow Recipient to View Password" option, you should be aware of the following:

• Savvy end users could potentially access the password if they capture it using advanced techniques, but LastPass will never be able to access this data because it has been encrypted using the account's public key.
• It is also possible to obtain shared passwords using another password manager.

The only safe solution is to not share logins with people who you do not trust with the actual password.

Comment 2

[Daniel Veditz [:dveditz]]

If you use an external password manager you can also disable the Firefox password manager so things don't get stored in both places.