Security vulnerabilities are a serious thing, and as such require serious attention, research, and reporting. One of the worst kinds of vulnerabilities is a remotely exploitable security flaw. This means that the malicious code can be executed without physical access to you machine, and sometimes without your direct intervention.
Today the internet blog sphere will erupt with stories (both good and bad) about two remote vulnerabilities found in LastPass, one of the most popular password security products on the market. If you use LastPass and it’s vulnerable that’s a real risk. So we’re here to dispell the FUD (fear, uncertainty, and doubt) and try to arm you with accurate information on which to go forward.
First things first, one flaw has already been patched/fixed.
What has happened
First things first, one flaw has already been patched/fixed, that’s worth saying twice. Right to the background. An independent security research Mathias Karlsson found the flaw in LastPass the essentially took advantage of two of its browser extension features, firstly a bug in the way URL’s were parsed would allow a site to masquerade as another site, and secondly the autofill functionality would then give your username and password to that site. Genius actually.
You don’t even need to click ok, a site can track what you type into fields even if you don’t click submit, put your details into a shopping cart and then close the page and wait for the abandoned cart emails.
As a professional security researcher, Mathias notified LastPass who have now patched the bug and even granted a whole $1000 reward payment to the researcher.
What about the second exploit?
Travis Ormandy, a research working for Google’s Project Zero claims to have also found a remote vulnerability. The details of that have not yet come to light, all we have is his twitter posts outlining that he’s found some undefined exploit/s and he’s passed it on to LastPass.
Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.
— Tavis Ormandy (@taviso) July 27, 2016
We will see if this is a different vulnerability or something new, but seeing as the original issue should already be patched perhaps it’s a different flaw? The speed at which LastPass addressed that first vulnerability bodes well for them fixing this issue quickly as well.
Update: Looks like LastPass is all over this second bug as well, with their latest blog post noting that this bug has also been patched. On their blog, they describe the exploit, which affected Firefox browsers, and patched it in the last update:
The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon. First, an attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0.
So Should I abandon password managers?
No, Nein, Net.
The researcher makes the fantastic point that while some security issues may exist with password managers they are typically much better than the alternatives that we meat bags use, things like common passwords. With security researchers such as these two and others around the world constantly testing these services it’s hopeful exploits like these will be caught and fixed before they are ever “weaponised”!
What you could do is make sure you long in passphrase is strong, secure and complex. If you need some hint and tips on good password habits check out our post. Enabling 2 factor authentication where you can is also a must do security.
Do you have good password habits? Let us know what you most secure password is below. (this is a test!!)