LastPass update? (or A/B testing?)

I don’t know if I am being attacked some how (a man in the middle?) or if LastPass is just bad at this!

If you’re going to change your logon UI, you don’t just throw it at someone… not if you’re smart anyway! How do I know if the new UI is official or if I am under some sort of credential grabbing attack?

I updated my Firefox to 81 today, and then when I went to use LastPass, it threw a COMPLETELY new UI at me to log on. The new UI didn’t have my saved email address. It looked legit, but fatter with more white space. I went to the LastPass site, but nowhere could I find an example of what the logon is SUPPOSED to look like. I went to other [virtual] machines I use, and they had the old UI I was familiar with.

WTF is going on LastPass? Are you incapable of getting this right? Something so drastic as your logon page should not be an A/B test without WARNING.

Here’s a picture with the new on on the left, and what I expected on the right.

@Leo, since they’re a sponsor, you should feed back at them on this, IMHO.

1 Like

Further clarification:

The extension page has NO release notes to inform me of the change, but it does have version and last update time:
Version 4.56.1.3
Last Updated September 17, 2020

Okay, it gets even weirder. I disabled the extension and then re-enabled it, and it returned to the original (old?) expected UI… WTF is going on LastPass??

image

Just downloaded the LastPass add-on for firefox and this is what I get.
Firefox: 80.0.1
LastPass: 4.56.1.3

Update: Just checked Chromium too and the same look.

Update 2:

Disabled and then re enabled LastPass and I have replicated your discovery…

Update 3:

So changes look legit but as you say, a more vocal heads up from LastPass would have saved people time checking for a potential compromise. I wonder if the disable/re enable UI change is a bug or a feature as a back up if the new UI fails in some situation.

In reading that support article, the single word that jumps to mind is incompetence. They clearly don’t understand how changing something so crucial as your primary logon needs to be properly communicated. At a minimum they should have included a link on the new page with a link to the site explaining the change(s).

1 Like

Over the last month I’ve seen this happen a few times since I use multiple browsers with multiple profiles for specific task sets. It definitely gave me pause the first time I saw my email not shown but “Remember Email” was selected. To see if it was just an update related thing I closed and re-opened the browser and this time my email was shown so I felt sure it was just a UI change. They really should do a better job of alerting users to a UI change.

2 Likes

some sort of credential grabbing attack

I’d like to think that if someone were successfully able to defeat all the security mechanisms in place to insure a secure connection to known Lastpass code, that they would probably be competent enough to not redesign (and improve) the UI while they’re at it.

ie. Paranoia can be helpful in security, but let’s be rational with it.

1 Like

Apparently you think it is harder to secretly install an extension into a browser than I do.

You quoted the wrong part of my comment. This part is still relevant to your reply:

they would probably be competent enough to not redesign (and improve) the UI while they’re at it.

1 Like

This is exactly my issue with LastPass they change the UI of the extension without warning. I had the same issue with the Firefox extension years ago when I noticed a drastic change in the UI without any advanced notice. At the time I was a premium user too.

1 Like