You are here

You are here

LastPass reveals last passwords—but dubs it ‘minor bug’

Richi Jennings Industry analyst and editor, RJAssociates

The password manager LastPass had a bug that exposed users’ most recently used credentials. An attacker could set up an iframe to fool it into regurgitating its last data.

As if that weren’t bad enough, the LastPass team sought to minimize the bug’s severity, calling it “minor.” That’s despite the bug reporter—a respected infosec researcher—describing it as “high severity.”

Really, LastPass? In this week’s Security Blogwatch, we think that’s disingenuous.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 10 years of SofS.


What’s the craic? Ionut Ilascu reveals the Password-Revealing Bug:

A security vulnerability in the extension … could have allowed stealing the credentials last used for logging into a website. … Tavis Ormandy found that an attacker could create a valid clickjacking scenario for a user that has used LastPass to log into an account.

By placing into an iframe the popup prompting for a password fill, a step in the verification chain was skipped and the last cached value for the current tab would be leaked. … The researcher pointed out other issues [such as the] lack of checking for trusted events … disabling multiple security checks [and] bypassing several security-related verifications.

And Dan Goodin, too—Google Project Zero finds and reports flaw in widely used password manager:

Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into. [The] Google Project Zero researcher … privately reported it to LastPass … late last month. [He used] a class of attack that conceals the true destination of the site.

The vulnerability underscores the drawback of password managers. … By making it easy to generate and store a strong password that's unique for every account, password managers offer a crucial alternative to password reuse. [But if] they fail, the results can be severe. It's not unusual for some people to use password managers to store hundreds of passwords.

The LastPass bug was fixed in version 4.33.0. The extension update should automatically install … but it's not a bad idea to check.

Ship it! LastPass’s Ferenc Kun can confirm it’s Resolved, but sought to minimize the issue:

As always, we welcome (and incentivize) contributions from the security research community through our bug bounty program. We appreciate the important work that white hat researchers provide in augmenting the security of LastPass for all of our users.

[Ormandy’s] report revealed a limited set of circumstances on specific browser extensions that could potentially allow an attacker to create a clickjacking scenario. To exploit this bug, a series of actions would need to be taken by a LastPass user.

So zabullet checks out the release notes:

v4.33.0 / v4.33.4 - September 12th 2019 …
Fixed: Account type appears now correctly …
Security: Minor bug fixes
Just some minor bug fixes. … Nothing to see here. … Move along.

Whither password managers? olsmeister waxes Luddite:

My password manager: Paper list in my desk drawer.

Riiight. Christopher Gray quips it’s an Aptly-named app:

At least they named their application appropriately: "LastPass".

You need access to the last password they used? You've got it!

We know password managers are a Good Idea. But should we ditch the browser extension? Ajedi32 thinks not:

Anything that's not context-aware is vulnerable to phishing.

You might think you'd notice if the site you're on had a different URL than the one you're expecting, but that level of constant vigilance might [be] difficult. … Especially when you take into account some of the more exotic phishing techniques like IDN homograph attacks.

Predictably, here come the fans of alternatives to LastPass—Urist, for one:

Never really liked the idea of a password manager being in a browser extension. There is just too little control over the environment.

I've used KeePassX for years to good effect. I can keep a database which can be passed around as a file, kept on a usb stick attached to my physical … keys, and a cleartext XML backup kept in a safe deposit box at the bank.

It is a bit more work than just having a browser extension to autofill things, but this bug goes to show that you probably don't want your passwords being served up just because some JavaScript element requested it.

And latchkey, for another:

Switched to BitWarden a few months ago from years of using LastPass. Zero regrets.

It is in every way better for my use case. Switching wasn't hard either. Even gave BW my money, it is worth supporting them.

Meanwhile, Nidi62 brings this immodest proposal:

I pick really strong passwords and store them where I could never lose them: I just get them tattooed on my body.

It's worked so far, but with my work forcing me to change my password every 3 months it's been a real pain in the neck. And the arm. Then the other arm…

The moral of the story?

Password managers are desperately imperfect, but they’re the least-worst option. Beware of babies hiding in bathwater.

And finally

10 years of melodysheep

 “Thanks for being a part of this wild ride with me. To be honest, I can barely watch my old videos—they are so amateur compared to what I'm working on now—but I hope you dig this nostalgic trip through the past decade.”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Andrew Martin (Pixabay)

Keep learning