LastPass has a secret major vulnerability - and, as yet, there's no fix

Here’s what users can do in the meantime…

LastPass has a secret major vulnerability - and, as yet, there's no fix

Popular password management firm LastPass is currently in the process of fixing a client-side vulnerability in its browser extension that was responsibly disclosed by a security researcher.

Over the weekend of March 24, Google vulnerability researcher Tavis Ormandy tweeted that he had figured out a way to achieve code execution in the browser extension for the LastPass password manager.

Ormandy, who has discovered numerous flaws in anti-virus products, adhered to the ethics of responsible disclosure (this time) by not publicly stating how the exploit worked.

Instead Ormandy contacted LastPass directly.

In turn, the password manager, which has fixed more than one security hole over the years, took two days to publicly acknowledge Ormandy's disclosure. It also did not reveal any details of the exploit.

As LastPass explains in a blog post:

"We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don't want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.

"In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market."

It's always nice to see a vendor thank a researcher for helping to improve their security via responsible disclosure. Not every company responds that graciously. Some ban researchers for trying their best to advance security in a conscientious manner.

LastPass is currently in the process of fixing the vulnerability disclosed by Ormandy. Rather annoyingly for LastPass, one imagines, it was only informed about the security hole days after it had patched other security vulnerabilities found by the researcher.

While it continues with its work, LastPass recommends that users do three things. First, it urges them to launch sites directly from the LastPass vault rather than through its browser extension (the smartphone app version of LastPass is thought not to be affected).

Second, it cautions users to be on the lookout for suspicious links and email attachments that might try to phish for their credentials.

Third, it advises customer to implement 2-step verification (2SV) on any and all accounts that offer the feature.

Interested in learning more about 2SV? Check out our resources below.

Update: LastPass says it has now resolved the issue, and has urged users to check that they are running the latest version (4.1.44 or higher). More details.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. Bob

    April 1, 2017 at 11:33 am #

    It's been fixed now but it's astonishing that there are so many flaws in LastPass and other online password managers.

    https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

    1Password have had a slew of different vulnerabilities. Each time the company denies them or writes a blog post saying how unimportant it is.

    It's very difficult to trust a commercial company for security. KeePass is free, open source, offline, has been extensively audited and deemed secure.

    http://keepass.info/

    • Alex in reply to Bob.

      April 4, 2017 at 12:10 pm #

      Or KeePassX if your on a Mac.

    • Mark Preston in reply to Bob.

      April 4, 2017 at 7:24 pm #

      Holes are in all software. Period. Another generation or two before they close. I'm a LP paid subscriber. I like it. 'nuff said.

Leave a Reply