LastPass is one of the most prominent password managers around. It’s extremely convenient but if it were hacked, it would be quite the pain in the arse for users. In a blog post, the company has warned that a major exploit has been discovered and outlined what action users should take immediately.
Tavis Ormandy, a vulnerability researcher for Google’s Project Zero, tweeted on Sunday that he’d discovered a client-side vulnerability in the latest version of LastPass’ software that is “a major architectural problem”. It’s Project Zero’s policy not to disclose the details of vulnerabilities for 90 days after notifying the company that is at risk. According to Ormandy, this one’s going to take a while to work out.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) March 25, 2017
LastPass acknowledged the problem on Monday and it is not going into detail about the nature of the exploit. But, it is offering users some advice on what to do in the meantime. The boilerplate recommendations are to avoid phishing attacks and use two-factor authentication. At this point, two-factor authentication needs to just be a way of life and please don’t click that random attachment that was sent to you in an email from a stranger. But the third recommendation is annoying. They are recommending that users launch password protected sites from the LastPass vault, saying “this is the safest way to access your credentials and sites until this vulnerability is resolved”. That is, of course, not as annoying as having your entire online identity stolen.
Most likely, the safest thing one could do is to stop using the LastPass extension until it’s fixed, change all of your passwords, and enable two-factor authentication on everything. That decision is up to you.
Ormandy has previously discovered two other LastPass vulnerabilities that were quickly patched. This one seems like it will be a larger undertaking. 9to5 Mac is reporting that “the vulnerability appears to be present only in Google Chrome“. But I’m not seeing that information in the thread that’s linked and LastPass isn’t saying that, so let’s just assume that this affects all versions for now.
The beauty of a password manager is that it can make it easier for you to utilise strong and complex passwords. Don’t let this scare you away from them. All software has its flaws.