Nmedia - Fotolia
The password manager LastPass recently dealt with some browser extension vulnerabilities. How serious are these LastPass vulnerabilities, and what can enterprises do to mitigate them?
Tavis Ormandy, a Google Project Zero researcher, has been a thorn in the side of LastPass for the past year. In 2016, he found multiple vulnerabilities in its software, and in March 2017, he discovered multiple new exploits in the LastPass password management tool that enabled password theft and remote code execution.
LastPass is password manager that creates random passwords, enabling an application/website to auto-fill passwords when possible, and it creates a digital wallet of credentials. This tool improves credential hygiene and limits a user from password reuse. Because of this, LastPass has become a target, and Ormandy's findings have helped the company to improve its security by remediating the LastPass vulnerabilities before they are exploited in the wild.
Ormandy discovered two LastPass vulnerabilities that enabled an attacker to leverage a malicious website to make calls into the LastPass API. This enabled the attacker to steal credentials and possibly perform code injection to run arbitrary code on the victim's system. The attacker would first have to trick users into accessing their maliciously configured site for these vulnerabilities to be exploited.
The first of these LastPass vulnerabilities enabled attackers and their maliciously configured sites to spoof sites that users consider legitimate and extract the victim's username and password for the spoofed site. This bug is considered a message hijack vulnerability, and was only found in Firefox 3.3.2. It's interesting to note that this bug was found in the past, but was never fixed in this version. The vulnerable versions are now being depreciated and won't be available for use in the future.
The second bug is a little more devious. It was found within an experimental onboarding feature of LastPass and was present in Chrome, Firefox and Edge. Like the other LastPass vulnerability, this also relied on an attacker tricking a user into accessing a malicious site and having the application assume it was a trusted site, all the while stealing the legitimate credentials. The vulnerability also enabled a remote code injection that Ormandy proved by launching the calculator application. This is even more critical, since it goes beyond just stealing credentials, and is more along the lines of using the application to exploit the user's entire system.
Since these vulnerabilities were found, updates have been released for the vulnerable software, and the message hijacking vulnerability within Firefox 3.3.2 has been depreciated. These LastPass vulnerabilities were all made possible via phishing attempts, so users should still be diligent when clicking links.
Also, if possible, it's still highly recommended to enable multifactor authentication on all accounts that accept it. This wouldn't have stopped users from having their credentials stolen, but it would have denied access to the stolen accounts with a second factor enabled.
At the time of this writing, LastPass said there was no evidence these vulnerabilities were being used in the wild, and that a master password reset is not required.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how enterprises can reduce the risk of major password breaches
Read about the LastPass fix for browser extension flaws
Find out why the security researcher behind LostPass criticized the responses to his findings
Dig Deeper on Password management and policy
Related Q&A from Matthew Pascucci
Understanding the differences between sandboxes vs. containers for security can help companies determine which best suits their particular use cases. Continue Reading
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading