A security researcher may have jumped the gun in talking about LastPass security flaws on Twitter, but an update...
fix has been rolled out.
Famed Google Project Zero information security engineer Tavis Ormandy apparently got a bit too excited after uncovering some vulnerabilities in the LastPass password manager. Ormandy didn't give details on the LastPass security problems he found when posting to Twitter Tuesday evening, saying only that what he found was "a complete remote compromise," but experts questioned his first tweet:
Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.— Tavis Ormandy (@taviso) July 26, 2016
Ormandy received a number of tweets admonishing him for tweeting before disclosing whatever issues he found to LastPass, prompting him to follow up just 10 minutes later:
OK OK, I get it, lots of people use LastPass. If you work there, please contact me ASAP and let's get this fixed.— Tavis Ormandy (@taviso) July 26, 2016
A number of experts questioned by SearchSecurity said Ormandy made a mistake by going to Twitter before disclosing the vulnerabilities to LastPass, but the extent of the mistake was subject to debate.
Gunter Ollmann and Oliver Tavakoli, CSO and CTO of Vectra Inc., respectively, and Lane Thames, security researcher at Tripwire Inc.'s Vulnerability and Exposures Research Team, said Ormandy should not have discussed the issue on Twitter, though Tavakoli thought the LastPass security flaws were responsibly disclosed nonetheless.
"There are accepted -- and well-thought-through -- procedures for responsible disclosure, which aim to strike a balance to protect consumers from attacks until patches to fix the flaw are available," Tavakoli told SearchSecurity via email. "Tavis appears to have followed these accepted procedures."
Ollmann suggested public warnings can sometimes be of use.
"Generally, it's not helpful to publicly disclose the presence of critical vulnerabilities before the vendor has been alerted, or had the chance to fix or respond -- as all it does is cause fear to the users and cause other hackers to focus on the product to look for the same bugs," Ollmann said. "However, in some cases, a public alert may be warranted if a product is so badly developed that there is immediate and provable risk to users, and that they should stop using the product ASAP."
Ryan O'Leary, vice president of the Threat Research Center for WhiteHat Security, based in Santa Clara, Calif., said, "Responsible disclosure is a tricky thing," but ultimately agreed with Ormandy's actions.
"Tavis did not disclose how he was able to remotely compromise accounts, which would have had immediate, devastating implications," O'Leary told SearchSecurity. "Instead, he made it known to users that there is a critical flaw and he would report the findings immediately to LastPass to fix. This was so users would know of the issue, and to potentially stop using the service and change their passwords immediately."
For its part, LastPass has fixed the flaws quickly, pushing out an update less than 24 hours after Ormandy's tweet.
"As always, we appreciate the work of the security community to challenge our product and ensure we deliver a secure service for our users," a LastPass spokesperson told SearchSecurity. "Our team worked directly with the security researchers to verify the reports made and worked quickly to issue a fix for LastPass users. To apply the fixes, we recommend that users update LastPass on their browsers."
In a blog post on the issue, LastPass said the problem only affected Firefox users, and the LastPass spokesperson confirmed the company is continuing to work with Ormandy "to ensure there are no more vulnerabilities."
It is unclear from the LastPass blog post if the issue found by Ormandy was the same as the one found by Mathias Karlsson, security researcher at Sweden-based Detectify, but the blog post did mention the update fixed issues from two security reports.
Karlsson said he found a bug in the autofill functionality of the LastPass extension, which allowed him to extract passwords by using a malicious website. However, Karlsson said the flaw did not work if multifactor authentication was enabled, and a screenshot of the issue he found showed it affecting the Chrome browser.
Are password managers safe?
Experts agreed password managers are always likely to be targets for threat actors, so the speed of fixes is important to note.
"Given that consumers of these products use them to store all their passwords, LastPass stores the most valuable things you can steal from a consumer all in one place," Tavakoli said. "Also, note that tools like LastPass can be used to quickly change all the passwords and emails associated with accounts, thereby locking consumers out and requiring them to slowly and laboriously convince each of the businesses they have accounts with to reset their passwords and contact info."
Some experts agreed, despite these LastPass security problems, password managers are generally still a more secure option for users.
"Without a password manager, many people will reuse the same, often weak, password across sites," said John Roberts, senior security consultant at Cigital Inc., based in Dulles, Va. "This poses a substantial risk -- if any site with your shared password leaks it in plaintext or crackable form, attackers may try to expand their compromise by trying the password on other sites. This benefit alone can outweigh the risk of quickly fixed defects in products like LastPass."
"No one flaw would stop me from recommending any product," Tavakoli said. "Repeated reports of flaws without the vendor seeming to take security seriously would cause me to stop recommending a product."
However, other experts said risks associated with a password manager made the cost too high.
"I'm not a fan of password managers because of the risks that the entire contents of the vault can be stolen easily through standard malware with keylogging capabilities," Ollmann said. "Since something like 20% to 60% of residential computers are compromised with malware each year, the prospect of having all passwords stolen during such an attack is too high. A single coding flaw in their online service could expose multiple users' vaults simultaneously."
Thames said there is always risk when using technology that safeguards personal information, and he didn't recommend the use of password managers.
"It is impossible to build any piece of software that can be guaranteed to be perfectly secure. With that said, various pieces of software such as LastPass are highly critical, and once flaws are discovered, both the vendor and the customer must move quickly to get their systems patched to prevent exploitation," Thames said. "Users give LastPass critical pieces of information; a flaw, once discovered, can be dangerous -- equivalent to giving a burglar the keys to your front door. As with anything related to security, users must measure their own cost-benefit and risk tradeoffs when using this type of technology."
O'Leary said he understood the allure of password managers like LastPass as a secure way to store and generate passwords you use for every site, but he said "any security vulnerability within LastPass would have devastating effects."
"In this case, it's a worst-case scenario, a flaw that allows an attacker to completely compromise accounts and view all passwords stored in their account," O'Leary said. "Passwords are your keys to your digital kingdom. Any security vulnerability present in these password managers is enough to not recommend anyone use them. It's simply too big of a risk to compromise one of the most vital pieces of information you have when you go online."
Get info on how security vendor hacks affect enterprise.