Tavis Ormandy showing LastPass exploit proof of conceptTavis Ormandy, one of the security researchers from Google’s “Project Zero” group, has been looking for (and finding) vulnerabilities in popular password managers for the past few months. He recently found a new bug in LastPass’ extension that would have allowed attackers to steal any of your passwords saved via the service. Another similar-but-different bug was also reported in the utility's Firefox add-on.
Password Manager Security
Security experts generally recommend password managers, not necessarily because they’re an ideal way to deal with passwords, but because they’re the best way to deal with them without re-using the same password on multiple sites. Re-using passwords seems to be a much bigger risk than keeping all of your passwords in a password-protected and encrypted vault. Plenty of data breaches or account hacks have showed the risk of password reuse.
As an example, your Gmail password may be safe on Google’s servers, but if you use the same password for another website, and then that website is hacked, the attackers could log in to your Gmail account. Gmail's servers were secure the whole time, but that didn't matter in the end, because the attacker was able to obtain that same password from a much less secure website.
Password managers may be of great help in such situations, but they are not without risks, either. For instance, password managers that use browser extensions can more easily be attacked remotely, through the browser.
Syncing your password vault with an online server comes with its own risks, too, compared to using a local vault such as those provided by KeePass or KeePassX (two applications recommended by Ormandy). It gives attackers the opportunity to brute-force your master password and login to the vault.
LastPass’ Latest Vulnerabilities
If you had the “binary component” installed, it would have allowed arbitrary code execution, too. The binary component for the LastPass browser extension contains additional convenience features such as enabling fingerprint authentication support, exporting and importing data, and much more.
Ormandy put together a proof of concept in which he showed that the “calc.exe” application could be started remotely on Windows via that LastPass extension vulnerability. According to a recent LastPass post, the bug affected all versions of the extension (Chrome, Firefox, Edge, and Safari). The company said this bug was addressed--apparently via workaround, rather than a complete fix--hours after it was reported.
Another vulnerability was reported for Firefox on March 21. This bug seems to affect version 4.1.35a of the Firefox extension, and the company said the flaw is “largely the same” to the one reported the previous day. However, instead of addressing the Firefox extension's issue via the same workaround used for the previous bug, LastPass decided to wait until a full fix was ready. The company said it released version 4.1.36a of its extension for Firefox to fix the reported issue at 12:15am ET today.
LastPass added that it has no knowledge of the vulnerabilities being exploited in the wild and that it plans to release a more comprehensive summary of the events soon.