LastPass Patches Password Manager VulnerabilityGoogle Project Zero's Tavis Ormandy Found the Flaw
Password managers are a wise way to manage large volumes of login credentials in a safe way. The applications generate strong passwords for new web services and securely store them. But if a password manager has software vulnerabilities, it could mean all accounts could be compromised.
After dropping hints on Twitter, Google Project Zero's Tavis Ormandy revealed the details of what he portrays as a severe vulnerability in the LastPass password manager. LastPass, however, has released a patch.
Cracking a password manager is extremely useful for an attacker because it immediately provides access to a number of websites and services. Ormandy's first warnings came on July 26 via Twitter: "Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap." In a follow up tweet, he wrote: "Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise."
Ormandy's research focused on the Firefox add-on for LastPass. LastPass has different add-ons for various browsers, which interact with the "vault" application, which is used for securely storing passwords.
The vulnerability Ormandy identified allows an attacker to communicate with the add-on through malicious code, he claimed in an advisory. For a successful exploit, a victim would have to be tricked into visiting a malicious website.
"An attacker can create and delete files, execute script, steal all passwords, log victims into their own LastPass account so that they can steal anything new saved there, etc, etc.," Ormandy wrote.
LastPass did not respond to Information Security Media Group's repeated requests for comment. But the company posted a blog on July 27 acknowledging the vulnerability and saying it has now been patched. It's not clear whether attackers had actually used the vulnerability before Ormandy's disclosure.
Ormandy says he donated the bug bounty he received from LastPass to Amnesty International, according to his advisory.
Other Issues for LastPass
The attention around Ormandy's latest find caused another security researcher to disclose another issue he found in LastPass. That vulnerability was fixed about a year ago, according to LastPass, which addressed that issue in the same advisory in which it discussed Ormandy's finding.
Mathias Karlsson found a URL parsing bug that affected all browsers using LastPass. LastPass autofills passwords for domains which it has stored credentials. Karlsson found that by tweaking a URL, LastPass would regurgitate credentials for domains that a user wasn't actually visiting.
LastPass, which fixed the problem within a day, rewarded Karlsson with $1,000, according to his blog post.
In January, research showed that a relatively simple phishing attack allegedly could potentially undermine LastPass. Sean Cassidy, CTO of Praesido, published information on an attack he nicknamed LostPass.
Cassidy showed that notifications displayed by LastPass could be spoofed, which could trick people into giving away their login credentials or a one-time passcode, according to his presentation given at the Shmoocon hacking conference.
As a result, LastPass changed how it displays notifications, including sending warnings of login attempts from a new location if they have two-factor authentication enabled, the company wrote in January.