LastPass steps up quickly to fix vulnerabilities spotted by researchers

When vulnerabilities turn up in password-managing Leviathan LastPass, they have a habit of arriving in small but important flurries.

Last year, the platform was hit by two flaws, one discovered by Matthias Karlsson of Dectify, the other by Google Project Zero Flawhunter General, Tavis Ormandy. In both cases, LastPass appears to have sprung into action well in advance of their public notification.

In January came researcher Sean Cassidy’s “LostPass” flaw, really more of a design issue turned into a clever proof-of-concept phishing attack, complete with partial bypass for two-step verification (ie LastPass used without a hard token such as the YubiKey).

LastPass responded quickly with a tweak, grizzled a bit about the way Chrome limits notifications to the browser windows, but explained its side of the issue in some depth.

Only days ago, Ormandy returned, reporting three issues across the Firefox, Chrome and Edge browser extensions, including a fairly serious “website connector” one that could have allowed attackers to pass internal commands (the things that do LastPass’s password and form-filling heavy lifting) after luring users to a malicious website.

Admitted LastPass, gamely:

Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

Given that LastPass is a password manager that usually stores dozens to hundreds of passwords and user names, this is like making off with the crown jewels using only two lines of JavaScript. The flaw can even be used to execute commands on the computer, which Ormandy demonstrated using a disturbing calc.exe proof-of-concept.

LastPass discovered that issue on March 20, and, from what we can tell, cancelled all vacation:

Upon notification of the vulnerability, the LastPass team immediately shut down the vulnerable service, and began work to update all affected clients.

Noticing a pattern? In fact there are two: LastPass suffers occasional software vulnerabilities, including the odd very serious one – nothing unusual in that perhaps – but then immediately sets to work fixing them.

We mention this not to laud LastPass to the skies with a tear in our eye but because it’s what all software companies with millions of users should do in this situation. Serious flaws shouldn’t be there in the first place, but before a single line of code has been re-written it’s a question of attitude.

Good response and communication are critical for cloud password managers, which have gone from useful utilities to a fundamental tool in no time at all. A flaw ignored could one day spell curtains.

Sorting password managers is more challenging than it seems and not simply because updates have to be approved by the browser-makers. Because they work as extensions for multiple browsers it can be confusing keeping up with which flaw affects which piece of software.

An added complication with LastPass Firefox has been that it maintains two channels, an older 3.x (due for retirement imminently) and the new, and in some quarters not necessarily loved, 4.x.

LastPass users running 4.1.36 (Firefox), 4.1.43 (Chrome), 4.1.30 (Edge) and 4.1.28 (Opera) are patched against the serious web connector issue. A second, overlapping vulnerability affects the older Firefox 3.3.2 version with the fix being an upgrade to 4.x.

So, even without the existential crisis of a known exploit, not a great week for LastPass. But we sense the pleasing urgency.