Password managers are tools that help you keep track of the numerous accounts that a modern digital lifestyle needs.
These days, it’s not just passwords for your mainstream online accounts such as webmail, Facebook and Twitter.
Even activities that you probably don’t associate with online life – renting an apartment, for example, registering to pay tax, or applying for a visa – often end up at a web page that requires you to create an account before you can go any further.
Choosing and remembering secure passwords is hard enough when you have plenty of time to think about it.
But the password you choose for your visa application needs to be created on the spot, even though it’s more critical than the one you have for Facebook. (Try applying for a visa with a made-up name and a fake birthday like you did for your various online personas!)
Password managers can therefore be a great help:
- They can come up in an instant with as-good-as-unguessable passwords like
cAN;#F0vppVza2TB. - They can remember unguessable passwords as easily as you can remember
123456. - They can automatically type in complex passwords so you don’t make mistakes and lock yourself out.
- They can tie passwords to specific web pages so you don’t type them into imposter phishing sites by mistake.
- They can store your passwords in the cloud in case your laptop or phone is lost or stolen.
Those are the pros; most of us will can quickly come up with two cons:
- You will need a really good password for the password manager itself. The master password is basically a skeleton key for all your accounts.
- If you sync your passwords to the cloud, you’d better hope the cloud service doesn’t get breached.
But there’s a third problem, and it’s one that applies to any app that interacts with the outside world.
And most password managers do just that, because they usually work with your browser, and the content of various web pages, in order to decide which passwords are relevant to what sites.
In other words, your password manager is almost certainly at risk of all the usual vulnerabilities that apply to more traditional online software programs such as web browsers, Flash players and messaging apps.
Those range from DoS (denial-of-service) and information disclosure (a worrying sort of hole for a password manager to have) to EoP (elevation of privilege), and the Big Daddy of security bugs, RCE (remote code execution).
RCE means a crook can send in external content to trick your app into running unauthorised software without so much as an “Are you sure?”
Unfortunately, that’s just the sort of hole that researcher Tavis Ormandy of Google’s Project Zero security team says he’s found in the popular and widely-used password manager LastPass.
Note that an RCE bug in LastPass means that crooks who know how to exploit the vulnerability almost certainly also have an information disclosure hole at their disposal.
That’s because an RCE means that the crooks can almost certainly modify the behaviour of LastPass itself in real time, and trick it into revealing its own secrets.
But it’s worse than that, because most RCE holes also allow much more general-purpose attacks, such as implanting malware to subvert the security of other parts of the system, or installing ransomware, or stealing data directly from your hard disk that would otherwise be protected by a password that’s isn’t in LassPass.
What to do?
Should you stop using LastPass, either temporarily or permanently?
That’s hard to answer right now, but as far as we can tell, this isn’t actually a “zero-day” hole, no matter that it sounds like one.
A zero-day is where the crooks already known how to exploit a hole before a fix is available. (In other words, there were zero days during which even a well-informed sysadmin could have patched against the bug.)
In this case, Google is working with LastPass to come up with a fix, and the details of the bug have not yet been made public – what’s known, for obvious reasons, as “responsible disclosure.”
So, if you’re minded to give up LastPass on that basis alone, you probably also ought to give up Linux, Windows, OS X, Android and iOS, too.
After all, almost every security update for those platforms includes fixes for at least one (and sometimes for many) RCE holes…
…many of which were found in just the same way, by outside security researchers, and disclosed similarly.
If you are using LastPass, however, keep your eyes out for the next patch, and apply it promptly.
MrGutts
To many unknowns. Plus if this is the URL parsing bug, it’s fixed already and the bounty already paid out.
Jason Scott
I always find myself in agreement with your logical approach to risks and this is no different.
LonerVamp
Look at that, already fixed: https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
But yes, the place to look out for these apps is the AutoFill features. That feature has been a target for 10+ years, like in old RoboForm days.
Paul Ducklin
Good result. Last I looked (about and hour or two ago, around 2016-07-27T17:00Z), only one was fixed.
Kris
No it isn’t; that’s another vulnerability!
Paul Ducklin
For a while, the LastPass site was confusing because it mentioned “the [bug] reports” but then described only one of them as fixed (as you say, a different one).
But the site is clear now: both vulns are fixed, including this one.
Simon
I have an unhackable password manager. It’s called a notebook. I don’t keep it near my computer.
Bryan
the ‘zero day’ definition is missing a ‘not’ (well informed sysadmin could not have patched…)
Thanks for the heads-up on this…
Paul Ducklin
No, it’s right…there were “zero days to patch ahead of time”. Your change would make it say “zero days not to patch ahead of time”, which would not be what I meant :-)
Bryan
DOH! I interpreted “zero days” as a plural noun, which would require the sentence to have my edit to be grammatically correct…and then beg the question.
Circular logic is the best because it is circular!
sorry for the false alarm
:-)
Anonymous
Apparently its only a Firefox issue… Lastpass response
https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
Paul Ducklin
Yep, seems it’s been patched and the patch pushed out. Good outcome.
Anonymous
It’s not a zero-day, but I’m going to title my article that way anyways, because clicks
Paul Ducklin
We wrote “zero-day” in quotes (no one seems to have been confused) because that’s what people were reading and assuming elsewhere.
Technically, it is a zero-day if an outsider finds it while the product is unpatched in public use, but we nevertheless explained why we don’t really consider it an 0-day due to responsible disclosure.
I can’t imagine that any readers saw those quotes and didn’t figure out that we were intending to clarify the situation, because that’s what we like to do.
So you’re welcome to complain but I think you’re overblowing your trumpet, if I may say so.
Anonymous
Clicks man
Richard Battin
I looked and looked for a time/date stamp on this article. If it’s there, how did I miss it? If not, don’t you thing that would be helpful?
Paul Ducklin
There isn’t a timestamp, to be honest, but there is a date under the headline of every article… 27 JUL 2016 in this case.
Just below the headline and just above the image.
On the main page, there’s a date next to every article in the list.
Anonymous
This is the product Sophos employees have been suggesting is good only a few days ago. Pfft. Sorry but I don’t have faith in these services, this just confirms my fears.
4caster
I’m totally confused. I tried to update LastPass on my Mac running OS X 10.11.6. It installed LastPass 4.1.17 on Safari, 4.1.20 on Chrome, but Firefox persistently refused to download anything later than 3.3.1. But LastPass said we should have 4.1.21a!
MossyRock
I had the same issue with Firefox. I’ve notified LastPass about this problem. They said that they would get Mozilla to fix this problem in their add-ons store.
anon
As others have pointed out, anything linked via the internet is insecure – including password manager apps. Paper continues to offer real value. A home safe and safe deposit box are also wise investments.
Can remote control Windows services be turned off in a way that prevents RCE while allowing internet use that does not require such service? If not, use of digital devices over the internet is relegated to the world of children’s toys.
John Knops
A thought occurred to me. Can’t they “who want to” hack your password manager program which has saved all your passwords with a little innocuous “malvirus” that passes through Sophos Anti-Virus?
To me the “save your password for this domain?” feature on the programs and browsers is less secure than the post-it notes posted all over the back of my computer’s screen.
Paul Ducklin
Three words :-) Two factor authentication.