Home / news / White Hat Hacker Find 'Obvious' LastPass Vulnerabilities

White Hat Hacker Find 'Obvious' LastPass Vulnerabilities

LastPass is vulnerable, a hat at Google’s Project Zero claims. A fix for the flaw is on the way.

Tavis Ormandy, a researcher affiliated with Google’s security research team Project Zero, sarcastically asked if anyone actually uses LastPass on Twitter yesterday, adding that he found a bunch of fundamental security problems with little more than a quick glance, Betanews is reporting. LastPass is the most popular password storage service on the planet, with millions of users.

Related: LastPass suspects a breach, meaning it’s time for a password change

Ormandy has sent a report of the security problems to LastPass, who are working on a patch. After the problem is fixed, the precise nature of the flaws will become public, which should make for interesting reading.

Google’s Project Zero team routinely researches security flaws online, both in Google services and those created by other companies. Flaws are reported to the appropriate companies, who have 60 days to resolve the issue. At that point, Project Zero makes the flaws public. The idea is to encourage companies to fix the issues, and in this case that seems to be working: LastPass told Ormandy that a fix is on the way.

So we won’t know what problems Ormandy found for a while. But if you want to read something scary right now, researcher Mathias Karlsson also found a terrifying LastPass flaw malicious sites could use to grab all your passwords in bulk, if users leave the automatic login feature enabled.

Related: Keep your login information under lock and key with the best password managers

“First, the parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials,” Karlsson wrote in a blog post outlining the issue. “However, the URL parsing was flawed (bug in URL parsing? shocker!).”

LastPass was quick to respond to the problem, and even paid Karlsson a $1,000 bounty for finding and reporting the issue.

Karlsson, for his part, thinks password managers are worth using, despite flaws like this.

“They are still much better than the alternative (password reuse),” Karlsson wrote.

Having said that, disabling autofill might be a good idea, on LastPass and similar services.

Check Also

Kobo's New Aura H2O Can Survive a Dunk in the Pool

Why it matters to you If you’re in the market for an affordable, durable new …

Leave a Reply

Your email address will not be published. Required fields are marked *