LastPass is one of the most prominent password managers around. It’s extremely convenient but if it were hacked, it would be quite the pain in the arse for users. In a blog post, the company has warned that a major exploit has been discovered and outlined what action users should take immediately.
Tavis Ormandy, a vulnerability researcher for Google’s Project Zero, tweeted on Sunday that he’d discovered a client-side vulnerability in the latest version of LastPass’ software that is “a major architectural problem”. It’s Project Zero’s policy not to disclose the details of vulnerabilities for 90 days after notifying the company that is at risk. According to Ormandy, this one’s going to take a while to work out.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) March 25, 2017
LastPass acknowledged the problem on Monday and it is not going into detail about the nature of the exploit. But, it is offering users some advice on what to do in the meantime. The boilerplate recommendations are to avoid phishing attacks and use two-factor authentication. At this point, two-factor authentication needs to just be a way of life and please don’t click that random attachment that was sent to you in an email from a stranger. But the third recommendation is annoying. They are recommending that users launch password protected sites from the LastPass vault, saying “this is the safest way to access your credentials and sites until this vulnerability is resolved”. That is, of course, not as annoying as having your entire online identity stolen.
Most likely, the safest thing one could do is to stop using the LastPass extension until it’s fixed, change all of your passwords, and enable two-factor authentication on everything. That decision is up to you.
Ormandy has previously discovered two other LastPass vulnerabilities that were quickly patched. This one seems like it will be a larger undertaking. 9to5 Mac is reporting that “the vulnerability appears to be present only in Google Chrome“. But I’m not seeing that information in the thread that’s linked and LastPass isn’t saying that, so let’s just assume that this affects all versions for now.
The beauty of a password manager is that it can make it easier for you to utilise strong and complex passwords. Don’t let this scare you away from them. All software has its flaws.
[LastPass via Ars Technica, 9to5 Mac]
Comments
2 responses to “LastPass Exploit Shows That Last Password You Made Probably Wasn’t Your Last”
I enjoy last pass! Until it started causing any web page to freeze my entire browser for 5 seconds when loading. Little sad over that.
Use your own homegrown 2-factor authentication… use password manager’s random password, but ADD your own “suffix” characters (not saved in the PW manager). You simply type those characters after the PW is pasted into the site. The suffix characters don’t have to be random because the beginning already is.
That way, if the PW manager is hacked, the stolen PWs won’t work.
Sounds like a great idea but could you give more detail on how to do it please? Thanks!
It looks like they’re assuming that based on Tavis Ormandy’s tweet:
The LastPass app/add-on/extension for each platform is it’s own entity with it’s own version number. You can look at the LastPass download page on their website and see that only Chrome and Safari are version 4.1.43: https://lastpass.com/misc_download2.php (not counting the universal installers which clearly bundle multiple LastPass apps and seem to just use the Chrome version number).