LastPass is a freemium password management service that stores encrypted passwords in private accounts. Designed to help internet users to protect their online accounts, it's an obvious target for cybercriminals.
On March 25th, Tavis Ormandy, a vulnerability researcher at Google, discovered a code execution vulnerability in LastPass. Ormandy tweeted about the bug, and keeping with responsible disclosure norms, he did not publicly state how the bug is exploited, and informed LastPass of its existence.
The issues lies in the LastPass browser extension. Said to be "unique and highly sophisticated," the issue is also seen as a "major architectural problem”, which could allow an attacker to steal passwords or execute code.
In order to prevent any damage, LastPass recommended that users launch sites directly from the vault and make use of two-factor authentication on sites that offer it, while avoiding clicking on suspicious links.
"This is the safest way to access your credentials and sites until this vulnerability is resolved," explained the company .
Google's Project Zero is one part of the company that devoted itself to finding and reporting security flaws in other company's products. Tavis Ormandy that works with the team at Project Zero has been focusing research efforts on LastPass for some time now.
The security flaw was found by Ormandy, just a week after LastPass issued a fix for a pair of issues the security researcher reported, saying: "We greatly value the work that Tavis, Project Zero and other white-hat researchers provide. We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention."
While bugs and security flaws do or can exist in products like LastPass, most information security experts still recommend people to use a password manager.
In the digital age where people use numerous services, remembering passwords can be painful. Like for example those passwords that consist of letters and numerals.
For the majority of users, using a password manager enables them to reuse those relatively strong passwords in a way that remembering them all isn't anymore necessary. For users, security issues that happen on password manager can be troublesome, but data breaches that have more devastating affects happen when users use weak passwords that can be easily guessed or hacked by brute force, for example.
Strong passwords are always recommended. People that don't use password manager to help them manage their accounts, tend to use weak passwords. And this is more risky.
A minority of security researchers do have concerns over the password manager model, however. For example, in 2014, Microsoft researchers Dinei Florêncio, Cormac Herley and Paul C Van Oorschot from Carleton University in Canada argued that they introduce a single point of failure, putting users not only at risk of hacks, but also simply losing or forgetting the password to their password manager.