Stored Passwords Opened to Hackers with Major LastPass Flaw

Password managers seem like a great idea, given rampant password reuse, poor abilities to create strong passwords by the average user and the sheer number of credentials we’re supposed to remember. But major vulnerabilities have been found in LastPass—opening the door to a full remote compromise for its users.

Independent security researcher Tavis Ormandy said that the zero-day flaw can be exploited using a drive-by technique with a malicious website. If successful, the attacker gains the digital keys to the kingdom—all of the credentials that the user has stored for online services.

“Are people really using this lastpass [sic] thing?” Ormandy tweeted. “I took a quick look and can see a bunch of obvious critical problems.”

One Ormandy Twitter follower responded, “I'm perplexed anyone uses an online service to store passwords”—to which Ormandy responded, “Yeah, me too.”

Ormandy is famous for finding major bugs in popular antivirus tools for Google’s Project Zero. What he discovered in LastPass may not be limited to that service (he’s pledging to look into LastPass rival 1Password). He said that he has notified LastPass and won’t release technical details until the issue is patched.

Photo © Tashatuvango

The takeaway? Consumers and businesses should be aware of the risks and weigh them accordingly. The need to use a password manager is clear, according to Gavin Millard, EMEA technical director at Tenable Network Security. Yet, “password managers aren’t without issue though, and LastPass themselves have been in the spotlight before for other flaws discovered,” he said. “Unfortunately, as the complexity of password managers increases, innovative functionality added and support for multiple devices by syncing through the cloud, it’s not surprising vulnerabilities will be discovered.”

Another security researcher, Matthias Karlsson, claims to have compromised LastPass. In that case, it was an issue in browser extensions that allowed auto-fill for credentials. The issue is now fixed, he said, noting that he earned a $1,000 bug bounty for his efforts.

 “I’m still an advocate of password managers, [because] average humans simply don’t have the capabilities to retain many complex strings of characters nor should we have to. But when using these helpful tools, we have to be aware of the risks and benefits,” said Millard. "With researchers like Ormandy digging through the code to cast a light on issues, everyone will benefit from a more secure solution."

What’s Hot on Infosecurity Magazine?