LastPass Remote Compromise vulnerability - gHacks Tech News

LastPass Remote Compromise vulnerability

LastPass has a bunch of critical problems of which at least one allows attackers to compromise the password manager remotely according to Google researcher Tavis Ormandy.

LastPass is one of the most popular online password management services on today's Internet. The service offers extensions for various browsers, mobile apps, and dedicated solutions for various operating systems and devices.

A full report was sent to LastPass by Tavis Ormandy and it appears that the company is working on analyzing and fixing the issues at the time of writing.

The issues have not been disclosed publicly yet. While that is the right thing to do until they are fixed, it means that LastPass users don't really know if the issue can be mitigated until a fix is provided.

Update: LastPass released a security update for the Firefox add-on. According to a blog post on the official site, an attacker could lure a LastPass user to a malicious site to execute LastPass actions in the background without the user knowing about them. This has been fixed in LastPass 4.0 for Firefox.

Additional information about the reported issue are available on the Project Zero forum over at Chromium.org.

LastPass Remote Compromise vulnerability

lastpass vulnerability

The only information provided are the following two tweets:

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.

Considering that, it is unclear if features such as two-factor authentication or use of other security add-ons protect users and data from attacks. In fact, it is not even clear if LastPass' network and infrastructure, the browser extension, mobile apps or other products are affected by the vulnerability.

It can very well be that only the browser extension is affected, considering that it is the most likely that Tavis took a look at due to its availability for the Chrome browser.

The security researcher set his sight on the next password manager, 1Password which is up next according to a Twitter message.

Password managers store critical data. This makes them one of the most important programs for a user, and a lucrative target for attackers.

The disclosed security issue is not the first incident in LastPass' history.  In 2015, LastPass confirmed that it detected suspicious activity on the company network. Only recently, another issue was reported and fixed that allowed attackers to extract passwords using the extension's autofill functionality.

LastPass is usually very responsive and fast when it comes to the patching of security issues affecting company products. We will update the article when new information come to light.

 

Summary
LastPass Remote Compromise vulnerability
Article Name
LastPass Remote Compromise vulnerability
Description
LastPass has a bunch of critical problems of which at least one allows attackers to compromise the password manager remotely according to Google researcher Tavis Ormandy.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Jack said on July 27, 2016 at 1:52 pm
    Reply

    I have little sympathy for people who put all their passwords in a known online location with millions of other users, and who think the system will never fall to an attack. It’s a huge target. Of course security will be breached from time to time. Idiots.

    1. M said on July 28, 2016 at 12:40 pm
      Reply

      we don’t give a fuck about your sympathy or anything else really.

      1. Panama Pat said on July 28, 2016 at 10:14 pm
        Reply

        Jack, your the idiot callig everybody else idiot’s. You think we give a shit about your opinion, we don’t.!!!

  2. anohana said on July 27, 2016 at 3:24 pm
    Reply

    I use KeePass in Dropbox. I wonder he will take a look at it.

    1. Padraig said on July 27, 2016 at 3:45 pm
      Reply

      I think I read recently that the EU is to audit KeePass code ?

      1. Martin Brinkmann said on July 27, 2016 at 4:49 pm
        Reply

        Yes they will, but no word yet on when this will be done.

    2. Martin Brinkmann said on July 27, 2016 at 4:49 pm
      Reply

      Would love him to do so, but I doubt it. KeePass is of no interest to Google and its products.

  3. Harushi said on July 27, 2016 at 5:25 pm
    Reply

    I don’t think this article should be released just because of a tweet of a Google reasearcher. It should be when the Google searcher released a detailed report. Twitter account could be hacked or something else. Just my opinion

  4. intelligencia said on July 27, 2016 at 7:34 pm
    Reply

    Hello Everyone:

    This latest incident makes me even MORE skittish about using these Password Managers . . . I’ll keep using my passwords the Old fashioned way – – Thank You Very Much!

    i

  5. Kin said on July 27, 2016 at 8:03 pm
    Reply

    I just love these “white” hacker that tells a company to “contact them ASAP”. So high of themselves that they won’t even bother writing to support it seems.

    I don’t doubt he found something, but the way he discloses them is highly egotistical.

  6. daz said on July 27, 2016 at 10:32 pm
    Reply

    I use keepassx and i think its insane to use an online password manager and this clearly shows why.I much prefer all my passwords stored locally in an encrypted database.

    1. Panama Pat said on July 28, 2016 at 10:16 pm
      Reply

      good for you, but who really cares what you do.

  7. CHEF-KOCH said on July 27, 2016 at 11:00 pm
    Reply

    Depending on how complex the code is the audit can take 1 or 2 years (if it’s an good one). That was the reason I not switched to VeraCrypt immediately, because every forked it and cloned it with some changes here and there .. The audit takes time and just because there is a fork not means anything until there is proof.

    I’m a friend of offline databases, but we hadn’t that much troubles if they would encrypt there databases, so no matter what even if something is compromised no one would get access to it.

  8. Robert said on July 27, 2016 at 11:26 pm
    Reply

    This is a key example for why SQRL should be adopted. https://www.grc.com/sqrl/sqrl.htm

    1. LogicDaemon said on July 31, 2016 at 9:08 am
      Reply

      nah, another “smartphone app”-based login “solution” can not be good. And using QR codes for logging in is even worse.

  9. Hans said on July 27, 2016 at 11:51 pm
    Reply

    LastPass already posted a message on this topic. It only affects Firefox and a fix has been issued
    https://blog.lastpass.com/2016/07/lastpass-security-updates.html/

    1. Martin Brinkmann said on July 28, 2016 at 6:29 am
      Reply

      Say what you want, they are quick to fix issues that are reported to them.

  10. wonton said on July 28, 2016 at 3:35 am
    Reply

    palemoon users are at risk they not able to use newer version of lp

    1. George said on July 31, 2016 at 11:26 am
      Reply

      I’d suggest Pale Moon users to use a password manager that fully supports them (unlike LastPass). One example is the excellent Sticky Password (full support for Pale Moon x86, but not the 64bit version – at least for now).

  11. ustavio said on July 28, 2016 at 4:42 am
    Reply

    Firefox extension just updated to 4.1.21a so I’m guessing the issue has been resolved.

    1. Martin Brinkmann said on July 28, 2016 at 6:27 am
      Reply

      Right, LastPass issued a statement that the reported issue in the Firefox add-on has been resolved. I have updated the article to reflect that.

      1. Bobby Phoenix said on July 28, 2016 at 4:48 pm
        Reply

        The recent report only affects Firefox users. If you are a Firefox user running LastPass 4.0 or later, an update will be pushed via your browser with the fix in version 4.1.21a. If you would like to update your client proactively, you can update with our download link here: https://lastpass.com/lastpassffx. You can check which version you are running in your LastPass browser addon, under the More Options menu in About LastPass. If you are running LastPass 3.0, you are not impacted and do not need to update.

        Maybe update the article please?

    2. Bobby Phoenix said on July 28, 2016 at 4:44 pm
      Reply

      Mine is still showing 3.1.1. That’s the same if you go to the Add-on page. It shows last updated March 4, 2016.

  12. Earl said on July 28, 2016 at 3:40 pm
    Reply

    Well, it involved phishing and Firefox. So, if you got hacked, then you had no one to blame but yourself? (“this lastpass thingy”, huh–calls into question his awareness of security to begin with)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.