LastPass security holes could have seen hackers steal your passwords

Flaw fixed quickly – phew!

Lastpass

Mathias Karlsson, a security researcher at Detectify Labs, writes:

Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.

In his article, Karlsson explains how he was able to trick LastPass into believing that it was on the real Twitter website, and cough up the users’ credentials because of a bug in the LastPass password manager’s autofill functionality.

Sign up to our free newsletter.
Security news, advice, and tips.

Stealing password

The same technique could have been used to steal passwords associated with other websites.

Yeuch!

Lastpass 170The good news is that Karlsson believes in responsible disclosure, and so informed LastPass of the problem. In more good news LastPass fixed the issue in less than a day (and awarded Karlsson a $1,000 bug bounty for his efforts).

Karlsson recommends that LastPass users disable the autofill functionality and enable multi-factor authentication for better security.

Although his discovery is troubling, I agree with Karlsson when he points out that using a password manager is still better than reusing passwords on different websites.

PS. Well-known vulnerability researcher Tavis Ormandy has also tweeted overnight that he has also found a flaw in LastPass.

Update 28 July 2016: Details of the flaw found by Ormandy have now been published, and LastPass has pushed out a fix for all at-risk Firefox users running LastPass 4.0.

PPS. Readers with good memories will recall that LastPass was acquired by LogMeIn last year to the concern of some. Overnight it has been announced that LogMeIn is itself being acquired by Citrix.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “LastPass security holes could have seen hackers steal your passwords”

  1. Techno

    Tried using LastPass but gave up and went back to Keepass. Their plugin kept crashing my browser, and I prefer having complete control over the database file that Keepass provides. Plus, cloud password storage acts like a honeypot, whereas with Keepass, when you upload your encrypted database file to cloud storage, you benefit from security from obscurity. I know that is usually considered bad practice, but it is actually an extra layer of security in this case.

  2. Bob

    It's disgusting that they only rewarded him $1,000 (£756) for a vulnerability that could have put the company out of business. If companies don't pay decent bounties then the only people who will seek out problems in their code will be criminal hackers who will be renumerated with massive sums: upwards of $500,000. Other countries governments would pay even more: upwards of $1M for RCE exploits.

    Even worse is their suggestion that it wasn't serious! LastPass aren't properly allocating developers or penetration testers to proactively validate their code. Considering they charge people for their premium service this is simply not acceptable.

    There's still other vulnerabilities that are waiting to be fixed as discovered by Travis. A "quick look" is all it took him. Unacceptable behaviour LastPass.

    For their paltry bug bounties I won't bother auditing the code. My time is more valuable.

  3. Robert

    I stopped using Keepass when my laptop was stolen. I realised that anyone with basic programming knowledge could brute-force break a password cache by just plugging passwords into Keepass. I now use Lastpass. I figure that if anyone can intercept my logging into Lastpass then I can't use the internet. Pretty much all my passwords are for the internet.

    1. Bob · in reply to Robert

      Then you've fundamentally misunderstand how password managers work Robert.

      Search Google for 'password derivation functions' and you'll get lots of information on the primary method used to prevent brute force attacks. Instead of being able to try 1 trillion passwords per second using supercomputers the maths means that an attacker can try 1 password per second (or less, depending upon the KeePass option you use).

      If you're concerned about your stolen laptop then all I can say is you should have encrypted it. Proper encryption would prevent the thief from breaking into your data.

      LastPass is less secure than KeePass but use whichever you feel most comfortable with.

      1. Robert · in reply to Bob

        Thanks Bob. Makes sense.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.