A serious vulnerability was recently discovered in the popular LassPass password manager and developers are scrambling to fix the issue which makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.
The flaw, which affects the most recent version of the browser extension, was briefly described on Saturday, March 25th, by Tavis Ormandy, a researcher with Google’s Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn’t present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.
Ormandy offered the following statement:
“It will take a long time to fix this properly, It’s a major architectural problem. They have 90 days, no need to scramble!”
The blog post describing the issue had LastPass company officials thanking Ormandy for the alert and stating that a fix was on the way. In the meantime, it was suggested that LastPass users protect themselves by by entering stored passwords into websites using the LastPass vault as a launch pad for opening websites and entering passwords and enabling two-factor authentication on sites that offer it.
The attack was described as both unique and highly sophisticated. LastPass, in turn, stated that the company didn’t want to disclose details regarding the vulnerability or the fix to outside parties. Users, in turn, could expect a more detailed post mortem once the work was complete.
The string of vulnerabilities underscores the tradeoff that comes from use of any password manager. Storing dozens, hundreds, or even thousands of passwords in a single place poses catastrophic risks should that resource be breached. Exploits become easier by convenience features that, for example, store encrypted password vaults in Internet-accessible locations or automatically paste passwords into websites. Ultimately, password managers likely make the average user safer because they make it possible to use long, complex, and unique passwords. And that protects people in the event that their password is exposed in website breaches, which are much more common than real-world password manager exploits.
If you use LastPass, please take care and stay tuned for additional details as they become available.
Via Ars Technica, Twitter and blog.lastpass.com