A zero-day flaw in the popular password manager LastPass can be triggered by users visiting a malicious site, allowing attackers to compromise the users’s account and all the sensitive information in it.
The discovery was made by Google Project Zero researcher Tavis Ormandy who, after probing a slew of AV solutions and finding serious security holes in them, has apparently set his sights on widely used password management solutions.
Aside from that flaw, he also found “a bunch of obvious critical problems,” but responsibly chose not share publicly any more details about any of the flaws until the developers have a chance to fix them.
The full report on the issues has been sent to LastPass, and now it remains to see if they are quick at patching the holes as users expect them to be.
According toThe Register, there is no news of in-the-wild attacks exploiting the flaw that can lead to remote compromise of LastPass accounts.
LastPass was acquired by LogMeIn in 2015, and the company has plans to bring capabilities of its early identity management investments, including those of Meldium, which it acquired in September 2014, into LastPass.
“In the near-term, both the Meldium and LastPass product lines will continue to be supported, with longer-term plans to centre around a singular identity management offering based on the LastPass service and brand,” the company noted at the time.
Being receptive to the type of research Ormandy is performing and doing its own security testing should be of great importance to the company. Keeping attackers out of their networks and away from users’ data should also be a priority.
What’s next for Ormandy?
The Twitter comments to the revelation show that many security-minded users steer clear of LastPass, as they don’t trust a service that stores passwords in the cloud, and some have previously found bugs in the software that they believe have never been fixed.
Judging by the comments, many use 1Password as their password manager of choice, and asked Ormandy to analyze it (he promised he would). Others have nominated Enpass, KeePass, PasswordSafe, and Dashlane Password Manager.
UPDATE (28 July 2016):
LastPass has shared in a blog post a bit more about this zero-day and other vulnerabilities it has fixed.