Popular password management firm LastPass is currently in the process of fixing a client-side vulnerability in its browser extension that was responsibly disclosed by a security researcher.
Over the weekend of March 24, Google vulnerability researcher Tavis Ormandy tweeted that he had figured out a way to achieve code execution in the browser extension for the LastPass password manager.
OK, exploit working and full report sent to LastPass. Now time to put some pants on. 👖
— Tavis Ormandy (@taviso) March 25, 2017
Ormandy, who has discovered numerous flaws in anti-virus products, adhered to the ethics of responsible disclosure (this time) by not publicly stating how the exploit worked.
Instead Ormandy contacted LastPass directly.
In turn, the password manager, which has fixed more than one security hole over the years, took two days to publicly acknowledge Ormandy’s disclosure. It also did not reveal any details of the exploit.
As LastPass explains in a blog post:
“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.
“In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market.”
It’s always nice to see a vendor thank a researcher for helping to improve their security via responsible disclosure. Not every company responds that graciously. Some ban researchers for trying their best to advance security in a conscientious manner.
LastPass is currently in the process of fixing the vulnerability disclosed by Ormandy. Rather annoyingly for LastPass, one imagines, it was only informed about the security hole days after it had patched other security vulnerabilities found by the researcher.
While it continues with its work, LastPass recommends that users do three things. First, it urges them to launch sites directly from the LastPass vault rather than through its browser extension (the smartphone app version of LastPass is thought not to be affected).
Second, it cautions users to be on the lookout for suspicious links and email attachments that might try to phish for their credentials.
Third, it advises customer to implement 2-step verification (2SV) on any and all accounts that offer the feature.
Interested in learning more about 2SV? Check out our resources below.
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
Update: LastPass says it has now resolved the issue, and has urged users to check that they are running the latest version (4.1.44 or higher). More details.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “LastPass has a secret major vulnerability – and, as yet, there’s no fix”
It's been fixed now but it's astonishing that there are so many flaws in LastPass and other online password managers.
1Password have had a slew of different vulnerabilities. Each time the company denies them or writes a blog post saying how unimportant it is.
It's very difficult to trust a commercial company for security. KeePass is free, open source, offline, has been extensively audited and deemed secure.
Or KeePassX if your on a Mac.
Holes are in all software. Period. Another generation or two before they close. I'm a LP paid subscriber. I like it. 'nuff said.