For years, Clark has talked about using password managers to store all your passwords in one place so you don’t have to remember them.
Some people love using password managers. Others fear them because using them means there’s only one point of entry for a hacker to breach. The latter camp reasons that using a password manager is like putting all your money under your mattress; all it takes is one burglar to come in your home and clean you out!
That’s why we’re upset to report that LastPass confirms there is an ongoing security vulnerability in its code that could allow hackers to remotely view your passwords and even run malicious code on your device.
How the LastPass exploit was discovered
On March 25, Google security researcher Tavis Ormandy noted a previously undiscovered flaw in the browser extension code used by LastPass.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) March 25, 2017
Ormandy sent a full report of the exploit to LastPass the same day he discovered it. Now the company now has 90 days to fix the bug before Ormandy reveals what he knows to the larger security research community. (Releasing a full report at the 90-day mark is standard operating procedure for security researchers.)
“It will take a long time to fix this properly,” Ormandy noted elsewhere on Twitter. “It’s a major architectural problem.”
So LastPass has until roughly the end of June to patch the problem, lest Ormandy release his full report that explains exactly how the bug works.
Should that report fall into the wrong hands before the bug is fixed, the LastPass customer base could be put at risk.
“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties,” the company writes on its website. “So you can expect a more detailed post mortem once this work is complete.”
This LastPass exploit is the third one Ormandy has discovered within the password manager’s code over just the last two weeks.
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
— Tavis Ormandy (@taviso) March 20, 2017
Here’s what you can do if you’re a LastPass user
LastPass has three recommendations for its users:
1. Don’t use the desktop browser plugin to log into websites. Go to LastPass.com instead and log into your account via the LastPass Vault. You can access the websites you want from there.
2. Use two-factor authentication on websites. Two-factor authentication is a process that requires you to go through an additional step to authenticate who you are when doing a transaction. That can mean getting a one-time use access code texted to you on your phone before you log into a site. Or it can mean making use of advanced voice recognition software for a company to verify that you are who you say you are. Those are just two possible examples.
With two-factor authentication in place, a criminal may have your password, but they don’t have your phone or your voice! So they can’t do anything with your password if they face additional barriers like these when they try to breach your account.
3. Don’t fall victim to phishing attacks. Phishing is when you receive an email from a company, requesting more information on your account or indicating there was a problem with a recent purchase or some similar ploy. But in reality, the email is just a cleverly disguised scam that’s designed to glean information from you that will ultimately empty your wallet. Here’s how to spot the warning signs of a phishing attack.