Passwords begone: two LastPass vulns found and promptly fixed, update now!

Two security vulnerabilities have been found and fixed in password manager LastPass. One by prolific security-vulnerability finder Tavis Ormandy, and the other by Mathias Karlsson of Detectify Labs.

Password manager v password re-use!
Password manager v password re-use!

Two security vulnerabilities have been found and fixed in password manager LastPass.

One by prolific vulnerability finder Tavis Ormandy, and the other by Mathias Karlsson of Detectify Labs.

Tavis Ormandy, a member of Google's Project Zero tweeted asking: “Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.”

According to Ormandy, the vulnerability found allowed remote code execution. This means a criminal can send in malicious code that is unauthorised and have it executed by the software without letting the user know.

LastPass have now fixed the vulnerability, and have pushed the fix out to all users.

The hacker has previously torn apart most major antivirus platforms, finding bugs in Symantec, Avast, Malwarebytes, Comodo, Kaspersky, and Bromium.

Paul Ducklin, senior technologist at Sophos told SCMagazineUK.com:  "As far as the LastPass remote compromise bug goes, 'All's well that ends well'. LastPass got a patch sorted out yesterday already - in the end, it seems that only Firefox users were at risk - and published it. A good result in my book: chalk one up for responsible disclosure!".

The other bug, also now solved, was discovered by Mathias Karlsson of Detectify Labs, a website analysis service. The bug was found when Karlsson noticed the extension was adding some HTML code to the end of a link of every page he visited in his browser.

In a blog post, Karlsson wrote: “The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials. However, the URL parsing code was flawed.”

He went on to explain: “By browsing this URL: http://avlidienbrunn.se/@twitter.com/@hehe.php the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurrence of @, the actual domain is treated as the username portion of the URL.”  

LastPass later released a security statement and commented on the bug found by Karlsson saying: “All browser clients were updated and Karlsson confirmed our fix at that time, requiring no action from our users.”

To try and calm the worry, LastPass commented: “Security is fundamental to what we do here at LastPass. Our first priority is always responding to and fixing reports as quickly as possible.”

And likewise Karlsson highlighted that despite password managers being vulnerable to unknown security mishaps like the ones described above, they are still better than the alternative, password re-use.

Ryan O'Leary, vice president at WhiteHat Security commented to SC by email:  "The zero day found in LastPass really is a worst-case scenario, a flaw that allows an attacker to completely compromise accounts and view all stored passwords. Passwords are the keys to your digital kingdom. Any security vulnerability present in these password managers is enough to stop people using them. It's simply too big a risk to compromise one of the most vital pieces of information you have when you go online."

On the point of why Google Project Zero member Tavis Ormandy mentioned on Twitter that he found problems before he disclosed the issues to LastPass, O'Leary said: "Responsible disclosure is a tricky thing. Tavis did not disclose how he was able to remotely compromise accounts, which would obviously have had immediate, devastating implications. Instead, he made it known to users that there was a critical flaw and that he would report the findings immediately to LastPass. He did this so that users would know of the issue, potentially stop them using the service, or at the very least, go in and change their passwords immediately."

Sign up to our newsletters