Back-to-Back Vulnerabilities Found in LastPass

A look at Google trends for topics and news searches that contain “password” and “hacking” show what one might expect. Ever since Google started publishing the data, both topics never left the eye of the public. However both grew and then declined in search popularity. Hacking, though, almost always outweigh outweighed searches about passwords. People frequently searched for hacked passwords. The LinkedIn passwords attracted some attention.

Password security lately became a topic of discussion in some communities. Often in communities too small to significantly impact Google’s search trends. Likewise, the trends accurately reflect, for the most part, simple searches. Many with password security concerns have no interest or need for searching the topic. However, the topics regarding password safety and personal privacy are moving outside their usual domains. Password manager programs, in this case, are majorly responsible.

Tavis Ormandy, a “vulnerability researcher at Google” via Google’s Project Zero, interacted with LastPass constantly throughout the recent month(s). The researcher kept finding flaws. Before the developers of the password storage program patched the first flaw, Ormandy notified them of another. And then another. And these are only the most recent exploits, they suffered similar treatment months ago.

DeepDotWeb wrote, regarding the loss of Black Goblin Marketplace CannabisRoad:

“This is an example of why you must avoid password reuse and must use different passwords on each market you might be active on – the owners could be shockingly incompetent and reveal your password to anyone in the world who can read the database.” Additionally, he wrote, “CannabisRoad proves that there is no level of incompetence a market cannot reach,” referring to brutally long, had passwords.

Google created Project Zero in 2014 (first referenced in 2010), for a single purpose: finding zero-day vulnerabilities. Google’s group of paid security researchers hunt bugs and security vulnerabilities in both Google products and software used by users of Google products. The program at risk, this time, connects directly to Google products through a Google Chrome plugin. Users could use the plugin to auto fill password fields on websites—assuming they stored the password in LastPass.

LastPass messaged Mashable about but the vulnerabilities and pointed to the recent blog post that explained the exploits and subsequent patches. “The company claims it has fixed all issues now, and patches will be applied automatically for most users,” Mashable wrote. “According to LastPass, there is no indication that any of these vulnerabilities were exploited in the wild.” Many Twitter voices, voices that included some LastPass users, complained about LastPass’s “poor communication” regarding the bugs.

And Project Zero, by policy, keeps such information from the public for 90 days – enough time for any patches to be made by the vulnerable company. “The company vowed to provide a more comprehensive overview of these vulnerabilities, as well as its efforts to fix them and prevent further issues, in the future,” Mashable wrote.

LastPass published a blog post on March 27 that explained the issue and thanked their partners for fast-tracking the fix:

“This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension. Exploiting required luring a user to a malicious website (through phishing, spear phishing, or other attack), or to a trusted website running malicious adware. This requires a per-user attack that must be executed through the user’s local browser.”