LastPass has a secret major vulnerability – and, as yet, there’s no fix

Here’s what users can do in the meantime…

David bisson
David Bisson

LastPass has a secret major vulnerability - and, as yet, there's no fix

Popular password management firm LastPass is currently in the process of fixing a client-side vulnerability in its browser extension that was responsibly disclosed by a security researcher.

Over the weekend of March 24, Google vulnerability researcher Tavis Ormandy tweeted that he had figured out a way to achieve code execution in the browser extension for the LastPass password manager.

Ormandy, who has discovered numerous flaws in anti-virus products, adhered to the ethics of responsible disclosure (this time) by not publicly stating how the exploit worked.

Instead Ormandy contacted LastPass directly.

In turn, the password manager, which has fixed more than one security hole over the years, took two days to publicly acknowledge Ormandy’s disclosure. It also did not reveal any details of the exploit.

As LastPass explains in a blog post:

“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.

“In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market.”

It’s always nice to see a vendor thank a researcher for helping to improve their security via responsible disclosure. Not every company responds that graciously. Some ban researchers for trying their best to advance security in a conscientious manner.

LastPass is currently in the process of fixing the vulnerability disclosed by Ormandy. Rather annoyingly for LastPass, one imagines, it was only informed about the security hole days after it had patched other security vulnerabilities found by the researcher.

While it continues with its work, LastPass recommends that users do three things. First, it urges them to launch sites directly from the LastPass vault rather than through its browser extension (the smartphone app version of LastPass is thought not to be affected).

Second, it cautions users to be on the lookout for suspicious links and email attachments that might try to phish for their credentials.

Third, it advises customer to implement 2-step verification (2SV) on any and all accounts that offer the feature.

Interested in learning more about 2SV? Check out our resources below.

Read more:

Update: LastPass says it has now resolved the issue, and has urged users to check that they are running the latest version (4.1.44 or higher). More details.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “LastPass has a secret major vulnerability – and, as yet, there’s no fix”

  1. Bob

    It's been fixed now but it's astonishing that there are so many flaws in LastPass and other online password managers.

    1Password have had a slew of different vulnerabilities. Each time the company denies them or writes a blog post saying how unimportant it is.

    It's very difficult to trust a commercial company for security. KeePass is free, open source, offline, has been extensively audited and deemed secure.

    1. Alex · in reply to Bob

      Or KeePassX if your on a Mac.

    2. Mark Preston · in reply to Bob

      Holes are in all software. Period. Another generation or two before they close. I'm a LP paid subscriber. I like it. 'nuff said.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.