Tavis Ormandy of Google’s Zero Day Project just won’t leave LastPass in peace.
We’ve already reported on a slew of flaws Ormandy uncovered in the popular password manager in recent weeks, praising the speed with which the company acknowledged and jumped on the issues.
At the weekend, LastPass got another email from their nemesis. You imagine the vulnerability logging team saw his name and their hearts sank – and rightly so, for this new flaw appears to be a big one.
Said Ormandy on Twitter:
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way.
OK, exploit working and full report sent to LastPass. Now time to put some pants on.
Ormandy didn’t add much detail beyond mentioning his own proof-of-concept exploit but we do know that it is “a major architectural problem” that could take a while to fix.
Given Project Zero’s strict 90-day disclosure policy for making a vulnerability public, a “while” could mean weeks rather than days.
The flaw affects users of version 4.x across all browsers and platforms and would allow a phishing attacker to steal passwords from the LastPass vault when a user is drawn to a malicious website. Attackers could also execute code on computers that running LastPass’s binary component.
If you’ve never heard of the latter, it is used by Chrome, Safari and Opera to enable certain features (IE and Firefox don’t need it). Checking for its presence on these browsers can be achieved by clicking More Options and About LastPass: if binary component is listed as “false” then it’s not present.
It’s not clear whether the flaw affects the old v3.x extension for Firefox although it would be safe to assume it does. This, in any case, is due to be decommissioned any day now.
LastPass’s advice runs as follows: launch sites from inside the Vault rather than from the toolbar or using auto-fill. From LastPass’s stark assessment of the problem, this inconvenient option might be the only safe way to use LastPass for the time being.
Then turn on two-factor (or two-step) authentication on sites that offer such a thing. Frankly, users should do that anyway.
Finally, although there is no evidence that anyone other than LastPass and Ormandy knows about the flaw, if they did they’d target users using some kind of phishing attack. There’s no defence against that beyond the authentication security mentioned above mixed with the usual abundance of caution.
Last week, we were upbeat about the way LastPass’s approach of quickly acknowledging and trying to fix vulnerabilities as rapidly as possible. We stand by that assessment but it is disconcerting how easily Ormandy has been able to tear a sizable hole in supposedly mature software launched almost nine years ago.
A post-mortem has been promised by LastPass. Needless to say, the company’s millions of committed users will be interested to hear the company’s analysis.
Pingu
Is LastPass “excessively” in the news because it is inherently less secure than its competitors, or because it is “the market leader” and therefore gets more than its fair share of scrutiny?
John E Dunn
Inherently less secure? That’s unlikely. All we can say is that someone has taken the time to find the flaws in LastPass.
Jimmy
And this is why I don’t trust Password Managers..
Jay
All the vulnerabilities so far have been ‘in specific circumstances’. For example, you need to have the binary component enabled AND get a phishing email that you a. fall for (so targeted) and b. follow the link on. After that the exploit needs to run and not be blocked by any security tools/software.
Alternatively, you could subscribe to a limited password re-use policy, because let’s face it most people re-use at least part of their passwords, or have “password_facebook” style passwords, where the scenario would be almost identical with a rather large difference of ‘likely targeted’ email being ‘any random spam’ email.
I trust password managers more than I trust the average home user. Tavis Ormandy just seems to be going out of his way to find vulnerabilities and exploit them. If anything this is a good thing as it will make LastPass more secure in the future.
optimaximal1
He doesn’t ‘go out of his way to exploit them’ – His entire job is basically trying to break into other companies programs and then report the problems to the company.
They then have 90 days to fix the problem before Google publishes the problem to the public – in which time, you’d hope the problem would have been long patched.
Roger
Has this bug been fixed yet? I can’t find any info on it?!
Larry Marks
@Jay. There seem to be two different vulnerabilities here. (1) Bad guys can read your vault if you visit a malicious website, and (2) If you have the binary component installed, bad guys can execute arbitrary code on your computer.
Each of these is a single event, not a series as you suggest.
Shastra
In essence, there is little difference between LastPass and you and I. We all go through life, and every so often, have a crisis, a catharsis, an expunging. We work through it, and feel better, cleaner, less burdened. So it is with LastPass. Be thankful that the vulnerability has been revealed and extirpated.
Chris
If someone getting into the vault is the the problem, then it might be a good idea to close it more often, especially during inactivity. Setting
Automatically Log out after idle (mins)
preference to a low value helps here. This means reentering the master password/passphrase more frequently until the fix is in.
SFdude
Very good advice, Chris!
Just did it on my LP…thks.
But also,
just found out that LP’s “BINARY COMPONENT”
is turned on and active in my PC.
I use Firefox (under Linux) and this article
says that:
“LP’s BINARY COMPONENT is NOT needed if you use Firefox “.
THE Q:
So, how /where
do I turn OFF/deactivate this BINARY COMPONENT ?
Thanks!
SFdude
optimaximal1
I believe you can uninstall it using your package manager.
kahomono
Quitting LastPass strikes me as similar to the person who ran under a tree to shelter from a (non-lightning) heavy rain. Their idea is, when the rain works through the leaves and starts drenching them, they will move to another tree.
I think going to another password manager will not improve your safety. I think going WITHOUT a password manager will definitely make it worse.
Anonymous
Perhaps however there could be value in moving to a password manager that is not so closely tied to the browser.
At least that closes one vector of attack.
You do lose the phishing protection I do admit.
kahomono
I used KeePass until I got a ChromeBook. The advantage of the ChromeBook is you can do everything in the browser. The disadvantage of the ChromeBook is… you have to do everything in the browser.
Shawn
Tavis is far from being LastPass’s nemesis. On the contrary, he is doing them a great service. He is finding the vulnerabilities that they couldn’t/didn’t find themselves and reporting them in such a way that they can get them fixed. This makes their software safer and they are getting it for free.
John E Dunn
It’s called tough love.