Password management service LastPass is no stranger to vulnerabilities, from an autofill vulnerability just earlier this year to a major breach back in 2015 and numerous flaws reported in the interim. Now, Google Project Zero researcher Tavis Ormandy has reported three separate vulnerabilities in the service, one of which LastPass claims to have resolved.
The resolved vulnerability could have allowed attackers to perform remote code executions (if using the binary component), apart from stealing passwords, and affected Chrome and Firefox users utilising LastPass v4.1.42. LastPass claims this has been resolved, and Ormandy himself has marked the issue as fixed on the Project Zero site.
Update: LastPass says it has resolved the vulnerabilities pointed out by Tavis Ormandy. It claims users will not need to change their master password or any site credential passwords, but users must ensure they are running the latest versions of the LastPass - found on its download page. It also claims the v4.1.42 and v4.1.35 vulnerabilities were caused by the same issue, which has been resolved. Ormandy in a tweet commended the LastPass team for the speed of the resolutions.
As for the other two vulnerabilities, one affects an old LastPass add-on (v3.3.2) on Firefox that LastPass earlier this month said it is considering retiring, though after the vulnerability was reported by Ormandy it said it is working on a resolution. Ormandy refers to it as a quick exploit, implying it was easy to find and use.
With these many vulnerabilities reported in under a week, it’s quite apparent LastPass is on high alert, and could do with an extensive audit of its services. As we mentioned, this certainly isn’t the first time the password management service has been under fire, and Ormandy himself uncovered a major flaw last year.
Security is certainly not easy, but when you are responsible for managing the passwords for millions of users, staying on top of your game is paramount. Ormandy advises using KeePass or KeePassX password managers. Password management services built into browsers like Chrome, Firefox, Safari, and Opera are themselves not immune, so unless you start to follow security best practices to create and remember passwords, staying safe could be difficult.