It’s been an eventful couple of weeks for LastPass developers, as they’ve scrambled to fix a couple of serious flaws in the popular password manager’s extensions, which would allow attackers to get at users’ passwords and even execute code on the users’ machines.
The flaws were flagged by Google Project Zero researcher Tavis Ormandy, and responsibly disclosed to the company. To their credit, LastPass has been doing a great job at responding to the vulnerability reports – even Ormandy says so.
But some fixed versions of the extensions were not immediately published, because the company waited for Microsoft and Opera to approve them beforehand.
Then, on Saturday, Ormandy came up with a new way to perform code execution in LastPass for Chrome 4.1.43 (the current latest version of the extension). He sent the working exploit and bug report immediately to LastPass, and the company acknowledged it.
“Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability,” they noted.
“This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”
The company has 90 days to fix the flaw before Google goes public with information about it, as per their vulnerability disclosure policy.
Ormandy’s tweet about the new exploit has fuelled a discussion on Twitter about responsible vulnerability disclosure, with some taking umbrage at the fact that he revealed the bug’s existence, while many others taking the security researcher’s corner, noting that he didn’t reveal details that would help attackers exploit the vulnerability.
Ormandy just confirmed that the exploit works on all browser extensions and platforms, even if users temporarily log out of the extension, and pointed out that “it will take a long time to fix this properly, it’s a major architectural problem.”
LastPass has noted that they greatly value the work that Tavis, Project Zero, and other white-hat researchers provide.
“We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention,” they commented, and invited contributions from all researchers via their bug bounty program.