Mathias Karlsson, a security researcher at Detectify Labs, writes:
Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.
In his article, Karlsson explains how he was able to trick LastPass into believing that it was on the real Twitter website, and cough up the users’ credentials because of a bug in the LastPass password manager’s autofill functionality.
The same technique could have been used to steal passwords associated with other websites.
The good news is that Karlsson believes in responsible disclosure, and so informed LastPass of the problem. In more good news LastPass fixed the issue in less than a day (and awarded Karlsson a $1,000 bug bounty for his efforts).
Karlsson recommends that LastPass users disable the autofill functionality and enable multi-factor authentication for better security.
Although his discovery is troubling, I agree with Karlsson when he points out that using a password manager is still better than reusing passwords on different websites.
PS. Well-known vulnerability researcher Tavis Ormandy has also tweeted overnight that he has also found a flaw in LastPass.
Update 28 July 2016: Details of the flaw found by Ormandy have now been published, and LastPass has pushed out a fix for all at-risk Firefox users running LastPass 4.0.
PPS. Readers with good memories will recall that LastPass was acquired by LogMeIn last year to the concern of some. Overnight it has been announced that LogMeIn is itself being acquired by Citrix.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “LastPass security holes could have seen hackers steal your passwords”
Tried using LastPass but gave up and went back to Keepass. Their plugin kept crashing my browser, and I prefer having complete control over the database file that Keepass provides. Plus, cloud password storage acts like a honeypot, whereas with Keepass, when you upload your encrypted database file to cloud storage, you benefit from security from obscurity. I know that is usually considered bad practice, but it is actually an extra layer of security in this case.
It's disgusting that they only rewarded him $1,000 (£756) for a vulnerability that could have put the company out of business. If companies don't pay decent bounties then the only people who will seek out problems in their code will be criminal hackers who will be renumerated with massive sums: upwards of $500,000. Other countries governments would pay even more: upwards of $1M for RCE exploits.
Even worse is their suggestion that it wasn't serious! LastPass aren't properly allocating developers or penetration testers to proactively validate their code. Considering they charge people for their premium service this is simply not acceptable.
There's still other vulnerabilities that are waiting to be fixed as discovered by Travis. A "quick look" is all it took him. Unacceptable behaviour LastPass.
For their paltry bug bounties I won't bother auditing the code. My time is more valuable.
I stopped using Keepass when my laptop was stolen. I realised that anyone with basic programming knowledge could brute-force break a password cache by just plugging passwords into Keepass. I now use Lastpass. I figure that if anyone can intercept my logging into Lastpass then I can't use the internet. Pretty much all my passwords are for the internet.
Then you've fundamentally misunderstand how password managers work Robert.
Search Google for 'password derivation functions' and you'll get lots of information on the primary method used to prevent brute force attacks. Instead of being able to try 1 trillion passwords per second using supercomputers the maths means that an attacker can try 1 password per second (or less, depending upon the KeePass option you use).
If you're concerned about your stolen laptop then all I can say is you should have encrypted it. Proper encryption would prevent the thief from breaking into your data.
LastPass is less secure than KeePass but use whichever you feel most comfortable with.
Thanks Bob. Makes sense.