Another hole opens up in LastPass that could take weeks to fix

Tavis Ormandy of Google’s Zero Day Project just won’t leave LastPass in peace.

We’ve already reported on a slew of flaws Ormandy uncovered in the popular password manager in recent weeks, praising the speed with which the company acknowledged and jumped on the issues.

At the weekend, LastPass got another email from their nemesis. You imagine the vulnerability logging team saw his name and their hearts sank – and rightly so, for this new flaw appears to be a big one.

Said Ormandy on Twitter:

Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way.

He then added:

OK, exploit working and full report sent to LastPass. Now time to put some pants on.

Ormandy didn’t add much detail beyond mentioning his own proof-of-concept exploit but we do know that it is “a major architectural problem” that could take a while to fix.

Given Project Zero’s strict 90-day disclosure policy for making a vulnerability public, a “while” could mean weeks rather than days.

The flaw affects users of version 4.x across all browsers and platforms and would allow a phishing attacker to steal passwords from the LastPass vault when a user is drawn to a malicious website. Attackers could also execute code on computers that running LastPass’s binary component.

If you’ve never heard of the latter, it is used by Chrome, Safari and Opera to enable certain features (IE and Firefox don’t need it). Checking for its presence on these browsers can be achieved by clicking More Options and About LastPass: if binary component is listed as “false” then it’s not present.

It’s not clear whether the flaw affects the old v3.x extension for Firefox although it would be safe to assume it does. This, in any case, is due to be decommissioned any day now.

LastPass’s advice runs as follows: launch sites from inside the Vault rather than from the toolbar or using auto-fill. From LastPass’s stark assessment of the problem, this inconvenient option might be the only safe way to use LastPass for the time being.

Then turn on two-factor (or two-step) authentication on sites that offer such a thing. Frankly, users should do that anyway.

Finally, although there is no evidence that anyone other than LastPass and Ormandy knows about the flaw, if they did they’d target users using some kind of phishing attack. There’s no defence against that beyond the authentication security mentioned above mixed with the usual abundance of caution.

Last week, we were upbeat about the way LastPass’s approach of quickly acknowledging and trying to fix vulnerabilities as rapidly as possible. We stand by that assessment but it is disconcerting how easily Ormandy has been able to tear a sizable hole in supposedly mature software launched almost nine years ago.

A post-mortem has been promised by LastPass. Needless to say, the company’s millions of committed users will be interested to hear the company’s analysis.