If you happen to use LastPass and have the brand new MacBook Pro with the Touch Bar, then we suggest you avoid using the macOS app for the time being. Why? You could be at risk of revealing your master password when logging into the service. In other words, you could accidentally reveal the password to access all your passwords.
And yes, that is very scary news indeed.
First revealed by Twitter user @luke_dot_js, the bug lies with how the LastPass macOS app handles passwords when you log in. Instead of using the native password field in macOS, it appears that LastPass is using a standard text field and masking the characters with bullets.
And because macOS sees it as a text box and not a password field, the Touch Bar will then suggest spelling options or reveal your password.
Ugh.
PSA: “secure text input” is way more than just drawing bullets on screen… don’t try to fake it, use NSSecureTextField https://t.co/JzsZPEN9TO
— Jeff Nadeau (@jnadeau) November 19, 2016
It should also be added that if you are also a LastPass user who doesn’t have the Touch Bar, TechGeek can confirm that this vulnerability on the macOS app will still affects you. While your password will not show up right away (like on the Touch Bar), right clicking on the text box will reveal your password – as seen in the image below.
Now, before you go jumping ship from LastPass, we should also add that this only affects the macOS desktop application. At the time of writing and according to reports on Twitter, this security flaw does not affect its browser extensions.
https://twitter.com/mpanighetti/status/799740870819885056
LastPass have said on Twitter that their developers have reviewed it and noted that they could “make improvements” – that is, fix the damn security flaw and use the native password field. Hopefully they make the fix as soon as possible.
@djm_ We reached out to our dev team for review & looks like we can make improvements as well–we'll get on it!
— LastPass Support (@LastPassHelp) November 18, 2016
H/T Chris Morris