Is there a web UI ? If yes - I guess an attacker can just send "bad" JS to the client and steal the master password no? Or inject a malicious update. Most people probably have auto updates?
Yes, this is one of the concerns. In theory a browser addon should take a while for the bad guys to update and publish, but are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days. I know Mozilla takes a pretty hard stance against this sort of thing, but it's not all caught in review. And then there's the electron style apps - those should be static too, right? right?? Also not a safe assumption. And yes, there is a pure-web UI where the code is downloaded from their servers.
> are the existing addons downloading and using server-provided JS? One would hope not, but that's hardly a safe assumption these days
This reminds me of a very brief security review I did of a 3rd-party browser extension that was being installed on everybody's laptop at a previous job. The extension itself had very little code, it was just something that bootstrapped with code from the company's servers. There was no real way to review it or freeze a reviewed version.
The kicker was that the server-provided JS was being loaded over plain http (and no, nothing was checking signatures or anything like that).
I think I misread the initial comment. Yes, if the build server is compromised code could be injected into the next build/release cycle to pilfer your master password. Not only that, but also anything else in the vault since it is decrypted locally and visible to the extension.
Still, local decryption is more secure than sending the master password to the server (so, just compromising the server holding your vault wouldn't be enough to steal your password). I think I will switch to BitWarden which uses the same approach, LastPass seems to be getting hacked alot nowdays.
Are you certain bitwarden has not? I read a thread here some time ago where 1password was bragging that they have never been breached, and someone basically commented back "they have never been breached that they are aware of".
I am concerned at some level on the lastpass breaches, but I am less affected so far than I have been by the equifax, target, and t-mobile breaches. I have had years of free credit monitoring since each one of those handed out enough data to compromise my identity several times over.
