Sergey Nivens - Fotolia
LastPass has rushed out fixes for its password manager after a security researcher reported two vulnerabilities that affected personal and business users.
The first vulnerability, discovered by Google security researcher Tavis Ormandy, could have allowed attackers to steal users’ passwords or execute malicious code on their computers.
The security flaw affected the LastPass browser extensions for Google Chrome, Mozilla Firefox and Microsoft Edge.
The vulnerable commands were the ones used by the browser extension to copy passwords or fill in web forms using information stored in the user’s secure vault.
Ormandy said if the extension’s binary component is installed, attackers could have used the “openattach” command to run arbitrary code on the computer but, according to LastPass, this would have affected less than 10% of users.
The second vulnerability in the Firefox extension was related to the first one and has been fixed in the latest version: 4.1.36a.
According to LastPass, its investigation to date has not indicated that any sensitive user data was lost or compromised.
All extensions have been patched and are being re-released to users, the company said in a blog post, adding that the LastPass mobile apps for Android and iOS were not affected.
The company also said no master password change is required and no site credential passwords need to be changed, but urged users to ensure they had the latest versions of browser extensions.
LastPass said most users will update automatically but the latest versions can be downloaded here.
Users can check the version of their extension by clicking the LastPass logo in the browser, clicking “More options” and then “About LastPass”.
The latest versions are Firefox: 4.1.36, Chrome: 188.8.131.52, Edge: 4.1.30, and Opera: 4.1.28.
Read more about responsible disclosure
- Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
- Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
- Is 90 days enough time for software suppliers to address vulnerabilities?
To exploit the reported vulnerabilities, LastPass said an attacker would first have to lure a user to a malicious website.
Once on a malicious website, Ormandy demonstrated how an attacker could make calls into LastPass applciation programming interfaces (APIs) or, in some cases, run arbitrary code, while appearing as a trusted party.
Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.
Providing more details about the Firefox 3.3.2 message-hijacking bug, LastPass said a flaw in the URL parsing process in Firefox 3.3.2 enabled malicious websites to spoof legitimate websites and fool the LastPass add-on into providing user site credentials.
“This bug was reported to our team last year and fixed at that time. However, the fix was not pushed down to our legacy Firefox 3.3.x branch; this branch has been scheduled for formal retirement in April,” the company said.
“We strongly recommend updating to Firefox 4.1.36 from LastPass.com/download. Users can also update to Firefox 3.3.4, however, as we noted previously, the 3.x version of LastPass will be retired in the coming weeks.”
LastPass has recommended users:
- Do not click on links from strangers or that seem out of character.
- Use a different, unique password for every online account.
- Use a strong, secure master password for their LastPass account.
- Turn on two-factor authentication for LastPass and other services.
- Run antivirus and keeping all software up-to-date.
To prevent these issues in the future, LastPass said it is strengthening its code review and security processes, particularly around new and experimental features.
“We greatly value the work that Ormandy, Project Zero, and other white-hat researchers provide. We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention. We welcome contributions from all researchers via our bug bounty program at https://bugcrowd.com/lastpass.”
Tod Beardsley, Research Director at Rapid7, said the issues with LastPass show that security software is just like any other reasonably complex software. “All have bugs, and sometimes those bugs have security implications,” he said.
According to Beardsley, password managers are still infinitely more preferable to human-generated, human-memorable passwords.
“The risk associated with password reuse is far greater than the risk associated with a zero-day vulnerability in a particular password manager,” he said.
“There is no indication that the issues reported by Google are being exploited today, and LastPass appears to be responsive and are putting their users’ interest first.”