This should be obvious to everyone who has been paying attention: browser-based password manager extensions should no longer be used because they are fundamentally risky and have the potential to have all of your credentials stolen without your knowledge by a random malicious website you visit or by malvertising. But LastPass isn't alone: Keeper, Dashlane and even 1Password have had severe vulnerabilities that allowed attackers to steal all of the passwords in a user's account without their knowledge. This isn't the first extremely severe bug he's found in LastPass, either there've been so many extremely severe bugs in LastPass it would be tedious to list them out. Tavis Ormandy yesterday demonstrated a remote code execution on the latest LastPass version. The most severe of which are in browser-based password managers extensions such as LastPass. It's been over a year since I presented on LostPass at ShmooCon, and in that time, many more bugs have been found in password managers.
