LastPass: how to securely patch the world's most popular password manager

Researchers are looking more closely at LastPass. Patching plug-ins needs care and attention

Researchers recently reported finding two separate and serious vulnerabilities in the market-leading browser password manager LastPass. Although widely seen as a consumer product, the platform is also offered to businesses in the form of LastPass Enterprise.

The first was reported by Mathias Karlsson of Detectify Labs relates to the software's autofill feature which he discovered could be fooled into thinking it was interacting with a site when it was in fact somewhere else. The flaw was reported and subsequently fixed a year ago which earned Karlsson a $1,000 bounty.

The second, discovered only this week by a Google researcher Tavis Ormandy, who described it as a "complete remote compromise" in a fairly detailed submission.

There is nothing unusual in any of this - security problems are found in a wide range of software these days - although as an online password database there was understandable anxiety that two could apparently materialise in a single week. In both cases, the company jumped on the issues seems to have done its best to fix them.

Complicating things slightly is the fact that after years of independent development, the potentially more serious of the latest LastPass flaws (that disclosed by Ormandy) emerged in version 4.x of the password manager released in the months after the firm was bought by LogMeIn in October 2015.

LastPass: who is affected and is there a patch?

The immediate question is how users update their LastPass plug-ins to reflect fixes that might have been released by the firm.

- The Karlsson flaw was fixed over a year ago in version 3.x and would not have been an issue for anyone using one of the various LastPass multi-factor options which are available to all Premium ($12 per annum) users. This issue is now closed.

- The Ormandy flaw affects only Mozilla Firefox running version 4.x, first released as a beta in January 2016, and fixed last week in v4.1.21a, an alpha release.

This brings us to an interesting aspect of LastPass - the plug-in itself is available in two separate versions, the original version 3.x and the more recent and overhauled version 4.x.

Single users who download LastPass from the LastPass website are served v4.1.20 as a universal Windows installer if they are running Mozilla, Chrome, Edge and Safari plug-ins. But Mozilla users who encounter it first in the Add-on Mozilla Store (AMO) are served version 3.3.1 by default with the option to download 4.x as a beta.

This division has to do with the way to AMO store treats stable releases v betas, with priority being given to stable releases even if they are months old but it means that LastPass sees v4.x as the best version to use while Mozilla, for now, recommends v3.x.

Conclusion - use online password databases with caution

The bottom line is that this type of product is now coming under greater scrutiny than it would have done in the recent past. Users need to configure it with great care and not simply assume that the basic security settings will suffice. LastPass, meanwhile, needs to take more seriously its committment to third-party security review in the way it promised to when Computerworld spoke to the company at the time of tis takeover by LogMeIn last October.

- Different browsers update plug-ins at slightly different speeds. Officially, FireFox runs a check every 24 hours, Chrome more often still. In theory, if a stable fix is available for a security hole, it should update quickly. But the only sure way to know is to check the plug-inversion number. Oddly, we encountered one Firefox install where the LastPass 4.x installation appeared to be two months out of date while reporting that no update was available. This is probably an issue with the browser itself but it underlines the need to check.

- It doesn't appear to make any difference to security whether users run version 3.x or the more recent 4.x but differences in the way they work can result in distinct vulnerabilities.

- The need to use multi-factor authentication has never been more pressing, preferably implemented using a hardware token. This is not a magic shield but increases security markedly. This means paying for the Premium version but at $12 it is surely the only responsible way to use such a critical piece of software. We would not recommend using LastPass or any online password store without this security. The risk is not only high but could be worse than using no store at all.

- As far as we can tell all of the above will apply to LastPass Enterprise users who will, presumably, mostly be using version 3.0.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleLogMeInMozillaPremium

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place