LastPass acknowledges vulnerability found by Google security researcher
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

Screenshot of LastPass website

Exploits are a matter of when, not if. The question is how you react when someone finds a flaw in your software

In one of the signs that companies on the internet are starting to grow up and act like adults, password management service provider LastPass issued a post on their blog today detailing a report of a vulnerability that could leave their users open to malicious actors.

On Saturday March 25th, a security researcher named Tavis Ormandy posted a tweet saying that he had found a vulnerability in LastPass’s client that would allow him to get the codeexec.

Soon afterwards, he quickly followed with a second tweet saying that his exploit was working and that he had sent a full report on to LastPass. Despite it being Saturday, LastPass responded to Ormandy’s tweets,

LastPass’s security team must have ordered in bagels for working on Sunday because today they posted that they were already at work addressing the vulnerability. Describing it as “unique and highly sophisticated,” they promised to provide a more detailed post-mortem after the issue was resolved but due to concerns that someone might try to exploit the situation, they were avoiding any descriptions of it for the time being.

What caught my eye was their tip of the hat to Ormandy for his role in bringing this vulnerability to their attention. They wrote that, “we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market.”

Without providing an exact timeline, hopefully, the patch will become available soon.

As we have written about here in the past, it was not that long ago that bug hunters would find themselves facing lawsuits or prosecution for sifting through someone else’s code and bringing what they found to the right people so that it could be fixed.

While understandable that it can be embarrassing for a company, especially one whose business is their users’ security, to have their dirty laundry aired so publicly like we see on Twitter, it is far more dangerous for researchers to feel disincentivized against doing the bug hunting in the first place. It is good to see that LastPass is to an extent embracing these White Hats.

By thanking researchers and moving quickly to address the problems, the tech ecosystem appears to be showing that it is growing up and actually acting like an adult. Sometimes it still gets drunk and acts like an ass, and some habits are hard to break, but things seem to be getting better.

Based upon Ormandy’s public interactions with LastPass over the past few weeks, the direction feels good.

It is worth noting that this latest exchange of Ormandy uncovering vulnerabilities in LastPass’s client comes only a matter of days after he had reported another issue in their FireFox browser extension. As with this case, the company also acknowledged and reported resolved the same day.

So while the LastPass team is hard at work trying to plug this hole, they offered their users some valuable tips on how to play a little bit safer with their security.

Image Credit: Screenshot from LastPass’s blog on Phishing

Even for non-LastPass users, Two-Factor Authentication should be a must for everyone. Try to avoid using SMS-based tokens whenever possible since they are super easy to clone.

As a side note, it is worth checking out their guide on staying safe from phishing attacks.

It is worth taking a second to discuss whether password managers are a safe option for improving security. Some have expressed their concern of putting all of their passwords into one spot which could itself be hacked at some point.

While I understand this concern, so far the record for providers like LastPass is pretty impressive when it comes to protecting against breaches. More importantly, even as a breach is possible because anything can always happen, they still come out on top. This is because they prevent users from relying on bad practices like reusing passwords, using weak passwords, or a variety of other dangerous habits that are far more likely to leave you open to a hack.

Perhaps the better question should be over the security on browser extensions, which are by nature far more open to attacks. You will notice that when possible, security services for things like encryption and GPG/PGP will opt for a desktop client. However since we are all tied to what we can do on our browsers, we will have to find another solution down the line.

LastPass is by my account an excellent choice, offering a free version to you cheapskates as well as a premium option that clocks in at $1 a month. Outrageous I know. Please support good the radical idea that people should be paid for their work.

If you want to look elsewhere, Dashlane and 1Password also come highly recommended.

Share on:Share
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email
Gabriel Avner

About Gabriel Avner

Gabriel has an unhealthy obsession with new messaging apps, social media and pretty much anything coming out of Apple. An experienced security and conflict consultant, he has written for The Diplomatic Club, the Marine War College, and covers military affairs with TLV1 radio. He mostly enjoys reading articles wherever his ADD leads him to and training Brazilian Jiu Jitsu. EEED 44D4 B8F4 24BE F77E 2DEA 0243 CBD1 3F7C F4B6

More Goodies From Security

Russia in talks with US to create cybersecurity working group

FBI warns parents: Internet-connected toys can spy on your kids

Your data may have crashed, but you don’t have to!