Security vulnerabilities are a serious thing, and as such require serious attention, research, and reporting. One of the worst kinds of vulnerabilities is a remotely exploitable security flaw. This means that the malicious code can be executed without physical access to you machine, and sometimes without your direct intervention.
Today the internet blog sphere will erupt with stories (both good and bad) about two remote vulnerabilities found in LastPass, one of the most popular password security products on the market. If you use LastPass and it’s vulnerable that’s a real risk. So we’re here to dispell the FUD (fear, uncertainty, and doubt) and try to arm you with accurate information on which to go forward.
First things first, one flaw has already been patched/fixed.
What has happened
First things first, one flaw has already been patched/fixed, that’s worth saying twice. Right to the background. An independent security research Mathias Karlsson found the flaw in LastPass the essentially took advantage of two of its browser extension features, firstly a bug in the way URL’s were parsed would allow a site to masquerade as another site, and secondly the autofill functionality would then give your username and password to that site. Genius actually.
You don’t even need to click ok, a site can track what you type into fields even if you don’t click submit, put your details into a shopping cart and then close the page and wait for the abandoned cart emails.
As a professional security researcher, Mathias notified LastPass who have now patched the bug and even granted a whole $1000 reward payment to the researcher.
What about the second exploit?
Travis Ormandy, a research working for Google’s Project Zero claims to have also found a remote vulnerability. The details of that have not yet come to light, all we have is his twitter posts outlining that he’s found some undefined exploit/s and he’s passed it on to LastPass.
Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.
— Tavis Ormandy (@taviso) July 27, 2016
We will see if this is a different vulnerability or something new, but seeing as the original issue should already be patched perhaps it’s a different flaw? The speed at which LastPass addressed that first vulnerability bodes well for them fixing this issue quickly as well.
Update: Looks like LastPass is all over this second bug as well, with their latest blog post noting that this bug has also been patched. On their blog, they describe the exploit, which affected Firefox browsers, and patched it in the last update:
The second report was made yesterday by Google Security Team researcher Tavis Ormandy, who contacted our team to report a message-hijacking bug that affected the LastPass Firefox addon. First, an attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0.
So Should I abandon password managers?
No, Nein, Net.
The researcher makes the fantastic point that while some security issues may exist with password managers they are typically much better than the alternatives that we meat bags use, things like common passwords. With security researchers such as these two and others around the world constantly testing these services it’s hopeful exploits like these will be caught and fixed before they are ever “weaponised”!
What you could do is make sure you long in passphrase is strong, secure and complex. If you need some hint and tips on good password habits check out our post. Enabling 2 factor authentication where you can is also a must do security.
Do you have good password habits? Let us know what you most secure password is below. (this is a test!!)
Passphrases are also an excellent option to easily strengthen passwords. I don’t put any of my critical passwords into a password manager (email, banking, PayPal, computer login) and for these I use passphrases which utilise upper and lower case, numbers and special characters. None are the same as each other either.
Even with a password manager, go to the effort of changing any passwords that are still the same between different services from before you had a password manager. A good tool will help you identify these.
Also if possible register your own domain name and have it set up so that no matter the left hand side of the address, you still receive the email. So if an email is sent to [email protected] or [email protected] or [email protected], no matter what you choose, you get the email. That way you can change the email address if the website is compromised, and if you start seeing spam you can block the previous email address. This helps reduce the likelihood of successful phishing attacks. Not so easy to set up though, and generally costs money. A cheaper way using… Read more »
Another reason to use KeePass. Remote vulnerabilities are not possible with that model and it’s free. I’m not really sure why people pay for a less secure service. Form filling works great on PC and decent apps for phone too (although the best one for Android costs a few bucks but that’s only a single purchase).
I agree. I avoided Lastpass because it requires putting all passwords in the cloud. That requires massive trust in Lastpass. I use Keepass.
Quick action, transparency and communication.
While they are not perfect, incidents like this make me feel a lot more comfortable trusting my data to them.