Password manager LastPass discloses patched vulnerabilities, highlighting value of responsible disclosure
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

Photo credit: LastPass / YouTube

Photo credit: LastPass / YouTube

Are password managers worth the risk?

In a sign of the times, LastPass, a leader in the password management space, made an open post on July 27 on their blog discussing two significant flaws in their product.

In their post, they told readers that two issues were reported to them over the past year and that they had both been resolved. The first was a URL parsing bug that allowed for pulling out passwords that were stored for different pages. It was uncovered by Mathias Karlsson, a security researcher who had been at detectify.

According to Karlsson:

The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials.
However, the URL parsing code was flawed (bug in URL parsing? shocker!).

He quickly found that when he would visit other sites and extract passwords from there as well.

The second flaw was reportedly found by Tavis Ormandy, a member of Google’s Security Team. The message-hijacking bug, impacted the add-on for Firefox users and allowed hackers to take actions on the user’s account without their knowledge after gaining access by tricking the victim into visiting a compromised website.

In both cases, the researchers approached LastPass with their findings, and Karlsson at least has confirmed that LastPass has addressed the issue.

What are password managers and why should I care?

For those who are perhaps a bit less security conscious (read paranoid) and are unfamiliar with password managers, they provide a nifty way to generate and store strong passwords without the need to remember them by heart or write them down on slips of paper.

Two of the of the most common problems in security are the use of overly simplistic passwords, and the reuse of the same phrase for multiple accounts. Short passwords are far easier to break, so no using things like “1234”, “password” or similar options that an idiot might use on their luggage. Gems like “guest1” and the “username” also come to mind.

Send us your favorite stupid passwords in the comments below.

Resuse is probably a trickier problem. We have so many accounts with usernames and passwords today that folks are simply unable to keep track of them. Instead, they find a password that they like and use it for all or most of their accounts. This is great until an attacker gets your user – generally your email – and password, and then tries it out on other commonly used sites like Twitter, Facebook, LinkedIn, etc, leading to all of your accounts being compromised instead of just the one.

However by using a password manager, users can avoid both of these hindrances pretty easily. Products like LastPass, 1Password, Dashlane and plenty of others can put together and store for fast recall long and jumbled passphrases that look more like “6kdljOup%nc@*zQm2vY”.

While everything is always hackable, don’t make it too easy for them.

The one catch is that users will need to save a Master password. Keep that one safe since losing it can send you up a creek without a paddle.

Shifting culture of security

While bugs and holes in security always have been – and likely will always be – a fact of life in tech, what has changed is the way that companies interact with researchers and hackers that bring these flaws to their attention.

In the bad old days, companies, especially corporates, would go after folks who would come to them with flaws. Then a few years ago, they began to embrace the idea of responsible disclosure, which was then followed by bug bounties.

This was a smart move since it encouraged researchers to come to the companies first with their findings, giving them time to patch the problem before it reached the public.

These bugs and flaws that go unnoticed are at the core of zero days, since nobody knows that they are there, and can be extremely harmful if they fall into the wrong hands. They can also be very valuable, coming with price tags in the $100,000 range. A zero day for harder to crack systems like iOS can be worth over $1 million to the right buyer.

Bug bounty programs like HackerOne and BugCrowd manage programs for disclosure and bring together groups of qualified researchers to help companies catch these issues early before malicious hackers use them in a destructive attack.

Interestingly, Karlsson notes in his post that he was paid $1,000 for his find. While this is a low sum for this kind of flaw, he notes that they paid out in this instance before they had instituted a bug bounty program.

LastPass and others that reward researchers should be applauded and encouraged for making a safer environment.

Are password managers worth the risk?

Understandably, not everyone is comfortable with the idea of forking over all of your passwords to a single database that if cracked could expose them to unwanted intrusions of privacy or harm.

However the alternative to password managers is not really much of an option. In the balancing act between security and ease of use, LastPass and others in this field offer users a very easy to operate product that on the whole will keep them much safer than before. Even Karlsson concurs with this idea in his post exposing the bug in their system: He still believes that it is useful in preventing the far more dangerous practice of password reuse.

LastPass comes out on a fairly annual basis with reports that hackers are targeting them. Of course they are. They are the cookie jar filled with delicious passwords and everyone wants a piece. But so far their methods of hashing and other protections seem to be holding strong, and the master passwords – to the best of our knowledge – have never been exposed.

At the end of the day, passwords are really just the first line of defense. Having a strong password is good, but multi-factor authentication is always better. Hackers can steal your password, but they will have to work harder to get to your biometrically sealed smartphone as well.

Avoid using SMS-based authentication since those can be easily intercepted. Google’s Authenticator app is a good option that works with a number of accounts, including LastPass.

So while nothing is ever perfect, using basic hardening steps like LastPass can help save users from plenty of grief later down the road.

Share on:Share
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email
Gabriel Avner

About Gabriel Avner


Gabriel has an unhealthy obsession with new messaging apps, social media and pretty much anything coming out of Apple. An experienced security and conflict consultant, he has written for The Diplomatic Club, the Marine War College, and covers military affairs with TLV1 radio. He mostly enjoys reading articles wherever his ADD leads him to and training Brazilian Jiu Jitsu. EEED 44D4 B8F4 24BE F77E 2DEA 0243 CBD1 3F7C F4B6

More Goodies From Security


7 tips for protecting your connected devices with IoT security

5 reasons why the new Department of Homeland Security rules on electronics are racist and ineffective, but mostly impractical

5 reasons why Silicon Valley should reject Julian Assange and Wikileaks’s offer to help