Exploits are a matter of when, not if. The question is how you react when someone finds a flaw in your software
In one of the signs that companies on the internet are starting to grow up and act like adults, password management service provider LastPass issued a post on their blog today detailing a report of a vulnerability that could leave their users open to malicious actors.
On Saturday March 25th, a security researcher named Tavis Ormandy posted a tweet saying that he had found a vulnerability in LastPass’s client that would allow him to get the codeexec.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) March 25, 2017
Soon afterwards, he quickly followed with a second tweet saying that his exploit was working and that he had sent a full report on to LastPass. Despite it being Saturday, LastPass responded to Ormandy’s tweets,
We are aware of a new report by @taviso and are investigating the issue now. Please stay tuned.
— LastPass (@LastPass) March 25, 2017
LastPass’s security team must have ordered in bagels for working on Sunday because today they posted that they were already at work addressing the vulnerability. Describing it as “unique and highly sophisticated,” they promised to provide a more detailed post-mortem after the issue was resolved but due to concerns that someone might try to exploit the situation, they were avoiding any descriptions of it for the time being.
What caught my eye was their tip of the hat to Ormandy for his role in bringing this vulnerability to their attention. They wrote that, “we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market.”
Without providing an exact timeline, hopefully, the patch will become available soon.
As we have written about here in the past, it was not that long ago that bug hunters would find themselves facing lawsuits or prosecution for sifting through someone else’s code and bringing what they found to the right people so that it could be fixed.
While understandable that it can be embarrassing for a company, especially one whose business is their users’ security, to have their dirty laundry aired so publicly like we see on Twitter, it is far more dangerous for researchers to feel disincentivized against doing the bug hunting in the first place. It is good to see that LastPass is to an extent embracing these White Hats.
By thanking researchers and moving quickly to address the problems, the tech ecosystem appears to be showing that it is growing up and actually acting like an adult. Sometimes it still gets drunk and acts like an ass, and some habits are hard to break, but things seem to be getting better.
Based upon Ormandy’s public interactions with LastPass over the past few weeks, the direction feels good.
It is worth noting that this latest exchange of Ormandy uncovering vulnerabilities in LastPass’s client comes only a matter of days after he had reported another issue in their FireFox browser extension. As with this case, the company also acknowledged and reported resolved the same day.
We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.
— LastPass (@LastPass) March 21, 2017
So while the LastPass team is hard at work trying to plug this hole, they offered their users some valuable tips on how to play a little bit safer with their security.
Even for non-LastPass users, Two-Factor Authentication should be a must for everyone. Try to avoid using SMS-based tokens whenever possible since they are super easy to clone.
As a side note, it is worth checking out their guide on staying safe from phishing attacks.
It is worth taking a second to discuss whether password managers are a safe option for improving security. Some have expressed their concern of putting all of their passwords into one spot which could itself be hacked at some point.
While I understand this concern, so far the record for providers like LastPass is pretty impressive when it comes to protecting against breaches. More importantly, even as a breach is possible because anything can always happen, they still come out on top. This is because they prevent users from relying on bad practices like reusing passwords, using weak passwords, or a variety of other dangerous habits that are far more likely to leave you open to a hack.
Perhaps the better question should be over the security on browser extensions, which are by nature far more open to attacks. You will notice that when possible, security services for things like encryption and GPG/PGP will opt for a desktop client. However since we are all tied to what we can do on our browsers, we will have to find another solution down the line.
LastPass is by my account an excellent choice, offering a free version to you cheapskates as well as a premium option that clocks in at $1 a month. Outrageous I know. Please support good the radical idea that people should be paid for their work.
If you want to look elsewhere, Dashlane and 1Password also come highly recommended.