Apr 9, 2014

LastPass Now Checks If Your Sites Are Affected by Heartbleed

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.

In the Security Check results, we alert you to sites affected by Heartbleed:


We will continue to update the Security Check recommendations based on which sites we have seen take action and where it is safe to update your passwords. We'll monitor the situation in general and keep our community posted.

If you're not using LastPass yet, now is the time to get started with organizing and managing your passwords, and use our tools to generate new passwords for your online accounts.

Update: April 10th, 2:29PM ET

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for existing LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding potentially-impacted sites. Thanks to our community for the feedback and input.

260 comments:

  1. Thanks for watching out for my online security! But I don't see anything about Heartbleed on my security check page, despite having just re-run it. Am I missing something? Or does that mean I don't have logins for any affected sites?

    ReplyDelete
    Replies
    1. Thanks for the heads up, Simeon, we'll take a look.

      Delete
    2. I can't find the tool it either. Could you please give more specific instructions. Thanks. Damian NZ

      Delete
    3. Click on the LP icon, move down to Tools/Security Check.

      Delete
    4. @Anonymous: Thanks, but I know how to run the Security Challenge. The problem is that I don't see anything about Heartbleed on the results page.

      Delete
    5. Same here. The security check gives me the usual security check — nothing about heartbleed in there :-/

      Delete
    6. Same here ... just tried, no security info on Heartbleed

      Delete
    7. Yup, Im not seeing anything either :(

      Delete
    8. If you changed your passwords or have no matching sites this is expected -- we have added something so you see at least a box indicating that's what happened.

      Delete
    9. I opened a free LastPass account and the Heartbleed notice does not come up on a Security Check. I paid my $12, and ran another Security Check, and the notice showed up. It seems you have to have a paid account to get the Heartbleed information.

      Delete
    10. But then, I'm also wondering why none of my sites are showing up as vulnerable. I have 230 logins on LastPass. I can't imagine that *none* of them are vulnerable. In fact, I have accounts on most of the sites listed in the graphic on this page.

      Delete
    11. Try clearing your browser cache?

      Delete
    12. I'm in the middle of something right this minute, but I will definitely give that a try. Thank you!

      Delete
    13. I have the free version, and I see heartbleed info in my results. Had to scroll down a ways, I didn't see it at first.

      Delete
    14. Anon from earlier here, after a reboot and another clearing of cookies and cache (just cache and cookies didnt do it for me)

      Delete
    15. If you just created a LastPass account now to run the scan, I don't think this check will work as well for you because LastPass thinks all your passwords are new.

      Delete
    16. Correct, if you just set up an account we won't have all of the proper data, we're taking a look at improving this for new users.

      Delete
    17. I'm trying to understand all this but am still confused. Since I am new to LastPass, does this mean that LastPass won't work for new users? Or what does Jeremy Bost mean?
      Sorry for all the questions...my dad usually helps me with this tech stuff, but he's away for the next few weeks. (and when Mom and I work together to solve tech stuff, we're dangerous and mess up even the easy stuff!)
      My laptop runs Windows 8 and I use Chrome (does LastPass work with this version of Windows and this browswer?)
      Thanks so much for any help you can give.
      ~Donna

      Delete
    18. LastPass works for new users. The heartbleed check does not.

      It does work with Windows 8 and Chrome.

      Delete
    19. We just updated Heartbleed to perform checks for new users too. Let us know if any new users have trouble.

      Delete
    20. the message from lastpass shows a list of sites in your vault; as encryption is performed on the client, lastpass say they cannot see the contents of an encrypted vault, so how is information being identified?

      Delete
    21. The extension is running this check locally, the extension has received the list it needs to check against and then based on what we've provided it performs the check. Does that make sense?

      Delete
    22. Last Pass support your telling people their site is vulnerable to the attack without actually verifying. Whomever wrote the code to this checker is not a security professional and code is SHIT. The Heartbleed bug is only vulnerable to the Openssl Software versions 1.0.1 through 1.0.1f. This is not a bug on all sever software's such as IIS, TOMCAT, etc. Please stop telling people that there ssl certificates on their sites are vulnerable. A lot of customers have already had their certificates reissued and installed using new keys and your site is telling them they are still vulnerable cause the issue certificate validity period is from the past. If you worked for a CA you would know replaced certificates will all have the same date as the original certificate do to the fact that was the original date of the first certificate. But your system is telling people they are still vulnerable to the bug when in all actuality the date of the certificate has nothing to do with the bug. As long as the server administrators have patched their openssl server software and requested a replacement/new certificate the Heartbleed vulnerability will NOT work. So please speak with whomever you need to, to correct your site checker or better yet stick to password support and not SSL Support. If anyone reads this please contact your Certificate Authority or Hosting company to find out if you are vulnerable to this bug.

      Delete
    23. Cant figure out why y'all dont find heartbleed. I logged on and it is a very large list.Keep at itand lots of luck. Paul The Fireball

      Delete
    24. Hi i just did the go update on two of my accounts and changed the password but for some reason when i re run the security check it tells me to still go update???. I don't think it detected i changed the passwords.

      Delete
    25. I've updated my android app but it still doesn't show any Heartbleed results. Does it only work via a browser? Premium user, UK

      Delete
  2. Wow this is just fantastic! Thanks you guys!

    ReplyDelete
    Replies
    1. Last Pass support your telling people their site is vulnerable to the attack without actually verifying. Whomever wrote the code to this checker is not a security professional and code is SHIT. The Heartbleed bug is only vulnerable to the Openssl Software versions 1.0.1 through 1.0.1f. This is not a bug on all sever software's such as IIS, TOMCAT, etc. Please stop telling people that there ssl certificates on their sites are vulnerable. A lot of customers have already had their certificates reissued and installed using new keys and your site is telling them they are still vulnerable cause the issue certificate validity period is from the past. If you worked for a CA you would know replaced certificates will all have the same date as the original certificate do to the fact that was the original date of the first certificate. But your system is telling people they are still vulnerable to the bug when in all actuality the date of the certificate has nothing to do with the bug. As long as the server administrators have patched their openssl server software and requested a replacement/new certificate the Heartbleed vulnerability will NOT work. So please speak with whomever you need to, to correct your site checker or better yet stick to password support and not SSL Support. If anyone reads this please contact your Certificate Authority or Hosting company to find out if you are vulnerable to this bug.

      Delete
    2. Freddie,
      PLEASE use a spell and grammar checker prior to posting!
      Issues seen right off the top: your should be you are, sever should be server's and software should not have an apostrophe...
      If you want to be taken seriously, please put forth the effort.

      Delete
    3. I support Anonymous's comment to Freddie, and ask those who don't know the difference between who and whom to go back and study the rules over again. They really are quite simple.

      Delete
    4. Sorry, I consider these comments about spell & grammar check not helpful. Have you considered that American English might not be Freddie Lopez's first language? Regardless, I find the content of his message quite helpful and informed. To speak my native "Texan" for a bit, y'all sound biased.

      Delete
  3. This is great. However, numerous sites identified as suspect by the LastPass Heartbleed checker (e.g., dropbox.com) aren't showing up in my Vault's security check. (A few are, but many more aren't.) Why the discrepancy?

    Thanks.

    ReplyDelete
    Replies
    1. Same here. I know I have more than 14 sites I have passwords for should be on that list....

      Delete
    2. Same for me, it seems they're basing the security check off a short list of known-positives (rather than identifying servers that potentially used openSSL). It would be nice if there was at least an advanced section that identified all accounts possibly using openssl and giving their certificate age.

      Delete
    3. We are currently using a known vulnerable list, the issue with certificate age only is do we detect all new certificates as vulnerable? That doesn't really solve it...

      Delete
    4. Considering Google found the bug, they should be included in the known vulnerable list, but my Google accounts did not show up. Google may have been patched before the bug went public, but they (along with everyone else on the web) was vulnerable long before the public disclosure.

      Delete
    5. So will sites that changed their SSL certificate on/after 4/8/14 (but weren't on the known-vulnerable list before) begin to show up in the audits since they've presumably changed their certificates as a response to heartbleed?

      Delete
    6. Thanks guys, we're taking a look at what else should be added, including Google services.

      @Anonymous - Yes, they'll start showing up with "Go Change" as the recommended action.

      Delete
    7. Last Pass support your telling people their site is vulnerable to the attack without actually verifying. Whomever wrote the code to this checker is not a security professional and code is SHIT. The Heartbleed bug is only vulnerable to the Openssl Software versions 1.0.1 through 1.0.1f. This is not a bug on all sever software's such as IIS, TOMCAT, etc. Please stop telling people that there ssl certificates on their sites are vulnerable. A lot of customers have already had their certificates reissued and installed using new keys and your site is telling them they are still vulnerable cause the issue certificate validity period is from the past. If you worked for a CA you would know replaced certificates will all have the same date as the original certificate do to the fact that was the original date of the first certificate. But your system is telling people they are still vulnerable to the bug when in all actuality the date of the certificate has nothing to do with the bug. As long as the server administrators have patched their openssl server software and requested a replacement/new certificate the Heartbleed vulnerability will NOT work. So please speak with whomever you need to, to correct your site checker or better yet stick to password support and not SSL Support. If anyone reads this please contact your Certificate Authority or Hosting company to find out if you are vulnerable to this bug.

      Delete
  4. It seems to be very slow to load... You guys must be overwhelmed?

    ReplyDelete
    Replies
    1. Thanks John, we're taking a look.

      Delete
    2. Last Pass support your telling people their site is vulnerable to the attack without actually verifying. Whomever wrote the code to this checker is not a security professional and code is SHIT. The Heartbleed bug is only vulnerable to the Openssl Software versions 1.0.1 through 1.0.1f. This is not a bug on all sever software's such as IIS, TOMCAT, etc. Please stop telling people that there ssl certificates on their sites are vulnerable. A lot of customers have already had their certificates reissued and installed using new keys and your site is telling them they are still vulnerable cause the issue certificate validity period is from the past. If you worked for a CA you would know replaced certificates will all have the same date as the original certificate do to the fact that was the original date of the first certificate. But your system is telling people they are still vulnerable to the bug when in all actuality the date of the certificate has nothing to do with the bug. As long as the server administrators have patched their openssl server software and requested a replacement/new certificate the Heartbleed vulnerability will NOT work. So please speak with whomever you need to, to correct your site checker or better yet stick to password support and not SSL Support. If anyone reads this please contact your Certificate Authority or Hosting company to find out if you are vulnerable to this bug.

      Delete
  5. The entire website is extremely slow to load at the moment and the application isn't connecting right now. Is there a service issue or are you guys just getting overwhelmed by all the traffic?

    ReplyDelete
    Replies
    1. Have you tried again? All systems are go, please let us know if any problems continue.

      Delete
  6. How do you know when did I update my passwords? Where is this data coming from?

    ReplyDelete
    Replies
    1. All of these checks are performed locally (after your data is locally decrypted, where we - the LastPass servers - can't touch it). The local checks can only see what you've touched since you added those sites to LastPass.

      Delete
  7. How can I be sure that your implementation of OpenSSL is secure? And how can I 'remediate' if I (or my boss) feel it isn't as secure as I (we) would like?

    ReplyDelete
    Replies
    1. We utilize Ubuntu 12.04 LTS, and use the default openssl include and automatically updated. Perhaps this tweet might convince your boss we're actively doing our part to ensure people are using the correct version of openssl https://twitter.com/JoeSiegrist/status/453880576844771328

      Delete
  8. Lastpass, you guys are awesome. Thank you for all the help.

    ReplyDelete
  9. https://lastpass.com/heartbleed/ -> is incorrectly verifying the vulerablity to exisit or not exist based on the operating system reported by the webserver. (seems incorrect to do since you can change what is reported... moving past that tho..... )

    My company uses a SSL Offloader that *IS* vulnerable to the attack. Our site comes up as clean but I know it is not. We use a firewall currently that recognises the signature of the attack and dumps it, but the site _was_ vulnerable (to a much more limited extent) before the signature was loaded, the cert has not been replaced yet and will not be until it expires (bad idea, i know... don't get me started..)

    ReplyDelete
    Replies
    1. The only for sure way to verify would be to actually play the attack on someone, but to do that wouldn't it be an extremely shaky thing to do legally?

      Delete
    2. Thanks, we're still looking for ways to expand and improve the list.

      Delete
  10. Thanks for earning the money you already convinced me to pay. I love the work you guys do!

    ReplyDelete
  11. Excellent work guys. Thanks for making it easy for us to check all our sites in one place.

    ReplyDelete
  12. http://filippo.io/Heartbleed/ Is an example site that tells you if it is vulerable. But even that one is flawed, if you have firewall software that intercepts the attack (like my companies does) it will turn up an error.
    Really, no easy answer for checking this on a mass scale but combining methods...

    ReplyDelete
  13. FYI, my security check (and the one above in the example) both list avsforum.com. However, it doesn't appear to support SSL at all (which is why the status of the cert is "unknown" since you can't check what doesn't exist)

    ReplyDelete
  14. Running the security challenge - i see no comments on heartbleed at all? Do I need to update anything myself?

    ReplyDelete
    Replies
    1. After running the check .... Under 'Thanks for taking the LastPass Security Challenge!' you will have a score and rank. Under that you will see Recommendation w/ an exclamation mark. Under that it will say the following along w/ a list of your sites and the action you should take -

      Because of the Heartbleed OpenSSL bug, a number of sites were vulnerable to attack. Below is a list of impacted sites you have in your vault. We also show when you last updated the password for those sites, when the site last updated their certificates, and what action we recommend taking at this time.

      Delete
    2. Hmm. Re-run again; under my ranking I see "invite your friends etc", followed by "detailed results", history and analysed sites. Nothing about Heartbleed.

      Delete
    3. I"m using Safari on Mac OS X if thats important

      Delete
    4. Resolved: Cleared all website data in Safari/preferences/privacy, restarted safari - and the box you describe now appears - happily with no issues, but I have just spent that last couple of hours changing most of my passwords! Thanks guys - happy I'm secure again.

      Delete
    5. Thanks for the update, Chris, glad to hear your steps resolved this.

      Delete
  15. Thank you so much, LastPass people for doing this. I'm sure you'll drum up lots and lots of new users with this, and you will deserve it. Thank you for putting our minds at ease through this mess.

    ReplyDelete
    Replies
    1. Thanks, be sure to tell your friends -- friends don't let friends reuse passwords.

      Delete
  16. I run the security challenge and receive a score and a rank and then detailed results. There are no recommendations - just a form email to send out to others for them to perform the test.They do list the analyzed sites but it's about my passwords and not the company's cert info as is listed above. Where do I find that?

    ReplyDelete
    Replies
    1. Now you should see a message if you had no sites known to be impacted at this time - is that what you're seeing if you run it again?

      Delete
  17. Looks like Security Check is only showing sites that actually have "https:" at the beginning of the URL stored in the Vault. Is this correct?

    Some sites just redirect to their https equivalents when you visit them, or I removed the whole http... part when editing the URL, so the URLs stored in my Vault might not specify https or may just be the name and TLD.

    ReplyDelete
    Replies
    1. No; I see OkCupid in my "vulnerable" list but the URL in my vault is http.

      Delete
    2. That's correct, this is domain-based, not HTTP/HTTPS-based, so you'll see the results regardless.

      Delete
  18. Thanks for this noble effort, and/but the results should be made crystal clear. Does a website's absence from the results list suggest a clean status, with nothing to worry about, or rather an undetermined status? After reading all the previous comments above, the latter possibility appears to be the case, and I'd suggest that such be explicitly mentioned alongside the results.

    ReplyDelete
    Replies
    1. No, an absence doesn't necessarily mean a clean status, we have to go off of the information that we currently have and continue to expand the results. Thanks for the suggestion, we'll look at making this clearer.

      Delete
  19. Is there a way to use this for passwords I've just imported today? I assume LP thinks I've just created these passwords and doesn't flag them.

    ReplyDelete
    Replies
    1. Excellent point. That may be what's wrong with my report. I just opened my account. I'll be waiting for an answer to this.

      Delete
    2. Thanks Ben, we're actively working on this.

      Delete
  20. The security check has a security hole/flaw in it:
    the password entry does not allow/use LastPass' on-screen keyboard - which, of course, Lastpass provides for security against Key-loggers, etc.
    To abandon this fine Lastpass secure login practice (of an on-screen-keyboard) for a security check seem to be contradictory, not-the-safest, etc.
    - Madison
    Using Anonymous simply because there is not a secure login in the process.

    ReplyDelete
    Replies
    1. Thanks for the suggestion, I've filed this with the development team for their consideration.

      Delete
  21. Once again, LastPass is crushing it in the security department and the user-friendly department. Thanks guys!

    ReplyDelete
  22. A reissue of a certificate does not necessarily change validity dates. So the certificate check is not valid.

    ReplyDelete
    Replies
    1. We're combining methods of checking, and are looking to fix the issue of false positives for the old dates being reissued.

      Delete
  23. Do we need to update our master passwords?

    ReplyDelete
    Replies
    1. Our official statement is that you don't have to. If it's been years since you have or you frequently use LastPass.com's web vault to login, it certainly doesn't hurt (LastPass Icon > My LastPass Vault > Settings).

      Delete
  24. Heya team,
    I have various sites that I know have been affected that aren't showing on your tool. How can we get a list of these to you?
    Cheers,
    Stuart

    ReplyDelete
    Replies
    1. Hi Stuart: You can send ones to security[at]lastpass.com - we continue to expand the list based on the information we have access to.

      Delete
  25. EVERNOTE states they do not use OpenSSL.

    "In early April, 2014, a team of security engineers publicly disclosed a vulnerability in OpenSSL that they called "Heartbleed", assigned common vulnerability and Exposures number CVE-2014-0160. To learn more about Heartbleed, heartbleed.com/ is a good place to start.

    Evernote's service, Evernote apps, and Evernote websites including evernote.com, Evernote Market, Evernote App Center, and our customer support site all use non-OpenSSL implementations of SSL/TLS to encrypt network communications. None of them are or were ever vulnerable to the OpenSSL "Heartbleed" vulnerability. "

    ReplyDelete
  26. I saw the security check does not run on enterprise shared folders. Would be great for this to work.
    https://lastpass.com/support.php?cmd=showfaq&id=5666

    ReplyDelete
    Replies
    1. +1 this, all our corporate accounts are in a shared folder!

      Delete
    2. Thanks for the request, we've passed this to the development team.

      Delete
  27. hmmm.. nice..I use Sticky Password and they said we should change the passwords once those sites have fixed their flaw on their side. Is this what this tools does? Their statement is here: http://blogen.stickypassword.com/sticky-password-and-the-heartbleed-bug/

    ReplyDelete
    Replies
    1. We alert you to which sites we know you should change the password for.

      Delete
  28. Ran the check and updated the sites recommended. When I ran again, some of these sites were still in the list, claiming that the password was last changed some time ago, although the vault correctly shows the recent last change date.
    Could this be a browser caching issue?

    ReplyDelete
    Replies
    1. probably not browser caching. I just re-ran in a different browser (FF rather than chrome) and got the same results.

      Delete
    2. Hi Keith: There may have been a lag. Are you still seeing this? If so, we'd like to investigate, please send details to security[at]lastpass.com

      Delete
    3. Me too, I just changed passwords for all the recommended sites, but facebook and google are still listed as I should change their passwords.

      Delete
  29. Really impressed with you guys and continue to be pleased with my decision to be a paid customer. While dealing with all the heartbleed issues with my own servers I was thinking: What would be really great if lastpass would... And you did.

    ReplyDelete
  30. How are you checking these sites?
    Are you actually checking for the vulnerability or just using server strings and making assumptions? reason that I ask is because of https://lastpass.com/heartbleed/ and Nginx doesnt give a definite result.

    ReplyDelete
    Replies
    1. We're doing SSL certificate checking, and server header checking, and known vulnerable list checking (meaning domains we know to have been affected based on public statements). We continue to expand the list.

      Delete
    2. I think your checking is not sufficient. OpenSSL 0.9.8 does not have the bug. Also sites using a vulnerable implementation, but having compiled the library without heartbeat are not vulnerable. Your checks need to be adjusted, else you are only spreading panic.

      Delete
    3. You also seem to be stating sites as "Vulnerable" even if the SSL certificate resides on a non-vulnerable load balancer in front of the software version you're checking.

      Delete
    4. Agreed. The checker is showing sites that are not, in fact, vulnerable as vulnerable (or 'Very likely' in red to add to the scare). Any OpenSSL prior to 1.0.1 is not vulnerable (no heartbeat extension). While this is nice publicity for LastPass, I suppose, spreading panic with false positives is not a good thing in general and, ultimately, will probably let folks know that you are not a reliable authority. My suggestion - do it right or don't do it at all.

      Delete
    5. If this information is in the server header, we detect this. We're checking multiple data points, and continue to revise and update based on the latest information.

      Delete
  31. Can we get password aging as a feature in lastpass now?

    ReplyDelete
    Replies
    1. Thanks Caleb, it's something we've considered.

      Delete
    2. Yes can I +1 that feature request I have suggested that a couple of years ago. You could do it by a set period e.g every year or by cert renewal date as you have done here

      Delete
  32. Impresive article, so many sites all over the world are affected by this bug :(

    ReplyDelete
  33. The blog entry describing how lastpass itself is affected is broken here is URL
    http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

    ReplyDelete
    Replies
    1. Hi Ron: The links above seem to be working for me, where is it you saw the broken link? Apologies if I missed it.

      Delete
  34. In your Recommendation list, you state that the following are sites in your vault and should take steps as recommended, however none of those sites on the list are in my vault, except Netflix, and never have been. Do you know why the list is incorrect?

    ReplyDelete
    Replies
    1. Hi Karl: if you run the security check in your vault it should have a list tailored to you - is this not what you're seeing?

      Delete
  35. Thank you for this checking system! What a relief not having to keep manually checking for when sites are ready to change passwords!

    Something odd happened though with the first one identified for me to change. After changing the new password in the extension when I saved it a whole load of seemingly ramdom code filled the fields for "url" "User Name" and "Password". I opened that one again using the "Edit" button and saw all this gibberish there again. Then it changed to what I should see, ie. the site url, my username and the password fields as normal.

    This is using the Firefox Lastpass extension on Mac 10.7.5 (Lion - that is the latest OSX that this machine can handle).

    ReplyDelete
  36. Your service is INCORRECTLY marking sites as Vulnerable when they are not. A site which uses SSL is NOT "Definitely" vulnerable, to quote you, as (for example) versions in the 0.9.8 branch have never contained the bug. My site runs OpenSSL 0.9.8 with all current and appropriate security updates, and is falsely listed as both Vulnerable and as having an Unsafe SSl Cert. You are misleading people and creating panic. Please do the responsible thing and either remove the checker or have it perform a full and correct test! Other sites are doing this correctly, and my site passes those checks, but your checker is flawed and irresponsible. Very poor!

    ReplyDelete
    Replies
    1. Can you give us the domain or forward to security[at]lastpass.com so we can investigate?

      Delete
    2. Also - if this information is in the server header, we should detect it, we're hitting multiple data points when we check.

      Delete
  37. Please stop causing panic in people with your highly incorrect testing process for the Heartbleed issue. Branches previous to the 1.01a-f releases ARE NOT vulnerable and shouldn't be marked as such in your reporting. Highly unprofessional as a company to scare clients toward your product falsely. I run MacOS systems/servers which are not updated except through Apple updates. It is widely known they are not vulnerable. No need to be asking anyone to provide proof when they are telling you they are running OpenSSL 0.9.8. It is KNOWN SAFE.

    ReplyDelete
    Replies
    1. If this is identified in the server header we recognize it and do not flag it, otherwise we do err on the side of caution (we aim to not give our users a false sense of security). We'd really appreciate any domain information if you're seeing discrepancies, and appreciate the feedback.

      Delete
  38. Agree with Sam Worm and Anonymous, your checker is creating loads of false positives! For example, we have servers running Debian Squeeze that your service states as "Vulnerable: Definitely". However, they're running 0.9.8 of OpenSSL and therefore unaffected by Heartbleed. You checker just appears to check for Apache and the age of the SSL cert which is a massive oversimplification of the issue and is making the situation far worse for those people who assume your checker is giving accurate results.

    ReplyDelete
    Replies
    1. We're checking server header, the SSL certificate, and also updating based on public announcements & sources - and we're actively working to prevent false positives. If you're seeing any ongoing discrepancies, we appreciate specifics as we refine our tool, thanks for the feedback.

      Delete
    2. Thanks for toning down the message. Will email you a couple of sites that are reporting incorrectly

      Delete
  39. According to the news, 76% of all servers are affected. So how come of the 136 sites I have in LP the 5 that I care about (Bank, CC, Paypal, amazon and google) are ALL OK according to your report. I am not that lucky.
    Thanks for the new report, I just hope it's accurate.

    ReplyDelete
    Replies
    1. Most likely because the most high-profile sites have teams of security personnel who jump on an issue and fix it as soon as they're aware of it. It's the small businesses which are likely to remain unpatched for days, if not weeks.

      Delete
    2. These types of services did have advance warning, actually. We continue to refine our tool so it's worth checking back over the next few days.

      Delete
  40. Thanks for doing a great job ... i read some people claim it's not perfect, but great you replied so fast with this check after this vulnerability got public, communicating with everyone, improving the tool wherever possible... This action makes me feel good i'm promoting LastPass wherever i can! Keep up the good work.

    ReplyDelete
  41. I can't reply for some reason. The link at the top of this page re your announcement yesterday now works, but the page looks weird. Your picture is a full page high for instance and the announcement is missing.

    ReplyDelete
  42. This has been SO helpful, I have never appreciated LastPass as much as I do right now. What a very useful and secure tool. Thank you!

    ReplyDelete
  43. I am getting sites being reported as both "Safe" and "Update". They are: duolingo.com and quora.com. Github is also listed as "Update" but I changed my password.

    ReplyDelete
    Replies
    1. I assume you're seeing it's safe because they applied the recommended updates to OpenSSL and their certs, but we still can't account for what may have happened in the last 2 years so we still recommend updating your passwords once those sites are declared safe. I hope that helps?

      Delete
    2. Shouldn't the warning go away after I change my password? I changed my password on Github and it's still giving me a warning. It thinks my password is 2 years old but I just changed it.

      Delete
  44. This tool DOES NOT WORK!!!! Here are some correct statements:

    www.heartbleed.com
    https://www.digicert.com/heartbleed-bug-vulnerability.htm

    ReplyDelete
    Replies
    1. We'd appreciate details of what's not working for you?

      Delete
  45. I had to read the comments to find out that this doesn't check every site in your vault. It only checks sites on a list Lastpass has compiled. This information should be front and center on the blog post and the security check. Having to rummage through the comments to find out that this wasn't check all my sites isn't being very upfront. This provides people with a false sense of security if a site doesn't show up on the list.

    There should be an option in security check to list EVERY site in the vault, with the following 5 status:
    -Wait
    -Go Update
    -Not Checked (with an option to check manually?)
    -Not Vulnerable
    -You've Aleady Changed Your Password

    I think this would make things a lot clearer instead of having to guess at which sites still need to be checked.

    ReplyDelete
    Replies
    1. Thanks for the feedback, I've passed this along - we continue to update the tool.

      Delete
  46. use the https://www.ssllabs.com/ssltest/index.html from qualsys. the lastpass tool does not work properly.

    ReplyDelete
    Replies
    1. We're addressing this from several angles - not just what the current status is of the site's certs & OpenSSL implementation, but what may have been at risk over the last two years. We appreciate the feedback and are happy to address any other specific reports!

      Delete
  47. we have tried the lastpass tool on various sites and the qualsys tool is much better. we have customers using the lastpass tool and are telling them to stop as it is providing a significant amount of false positives.

    the lastpass tool cannot handle applications behind an f5.

    ReplyDelete
  48. You guys are misleading people by assuming that valid from date on certificates is definitive evidence of this vulnerability. Re-keyed certificates don't update the valid from date.

    I understand there is a chance that a site might be using an old cert, however it's important that you educate people with all the facts.

    ReplyDelete
    Replies
    1. Thanks for the feedback, we're modifying our language a bit and would appreciate any further reports of discrepancies you might see (security[at]lastpass.com).

      Delete
  49. I have had a couple of sites that have updated their Cert but are still showing up on the checker. Any idea why?

    DDK

    ReplyDelete
    Replies
    1. What is the result on the checker? We still say to update your password even if the cert was updated, as that data may have been at risk over the last 2 years - happy to look through specifics, you can send to security[at]lastpass.com if you'd prefer. Thanks!

      Delete
    2. All sites seem to have updated since I checked the page yesterday. Although everything I have read Google updated their cert before the issue was found it is still telling me to wait. DDK

      Delete
    3. It's also telling me to update passwords that I have already updated.

      DDK

      Delete
  50. This checker does not work, you should use a tool like http://filippo.io/Heartbleed/ to check the sites.

    ReplyDelete
  51. Poor tool. Gives false positives on sites that have older versions OpenSSL.

    ReplyDelete
    Replies
    1. If this data is in the server header, we should detect it. We're detecting multiple data points, and are actively working to resolve false positives.

      Delete
  52. The fact that their private key may be compromised has little to do with the fact that you should change your password. If they have patched OpenSSL, I would recommend changing your password. The likelihood that a private key was compromised on very large site is fairly high, but it does not mean some threat actor has access to all of the traffic ever sent on the internet.

    ReplyDelete
  53. FYI, getitdoneapp.com tests positive with your tool but negative with other tools such as https://www.ssllabs.com/ssltest/index.html and http://filippo.io/Heartbleed/ Please fix your tool ASAP or take it down.

    ReplyDelete
  54. If you think lastpass is legit then you're a dumb dumb. You just got caught in a big net! Their getting way too much press for a broke, misleading, vulnerability check mechanism... definetely a government intelligence job. pfffft

    ReplyDelete
  55. I ran lastpass tool on my vault. It sent vulnerability email to my husband's yahoo email telling him that gizmodo and lifehacker were possible data compromises for his email address. When I search my vault, I do not find "giz", "life", or any string from his yahoo email address. How exactly does this security tool work?

    It seems like, if it finds "someuser@yahoo.com" in a vault entry possibly in the comment/secure note, it sends email to someuser@yahoo.com to warn them about the vulnerability. But you cannot search on the text in the comments to find these strings to identify the vault entry!

    ReplyDelete
  56. How frequently is this test running? I have panicked last-pass users freaking out over a false positive on my site.
    1. My site was patched yesterday but now I will permanently in a state of
    Vulnerable: Likely (known use OpenSSL) ? If you are not testing then you don't know how Likely.
    2. We revoked and reissued ALL of our SSL certificates yesterday with new private keys making them cryptographically NEW, however you appear to be using the validity dates to state our certificates are UnSafe which is not true. CAs that grant unlimited revoke do not necessarily change those fields but the certificates unique key changes and often they increment the version number.

    Don't get me wrong I like the idea of this tool however I think it is deeply flawed.

    ReplyDelete
    Replies
    1. Yes, we're in the same situation. Site (techlicious.com) is patched, certificate has been reissued, yet Lastpass is giving our site vulnerability as "Likely" and using the original certificate creation date rather than the new date. Other testing programs don't have this issue.

      Delete
  57. This is very confusing. The security check of my sites does not list some sites as vulnerable that the Heartbleed checker at lastpass.com does. An example is comcast.net.

    Furthermore, using the Heartbleed checker at lastpass.com says that lastpass.com is vulnerable.

    What is going on?

    ReplyDelete
  58. My greatest concern with giving over all my watchword obligations to an application like last pass is that it gets unavoidable that you yourself will overlook all your passwords. At that point you are totally reliant on the application and access to it. What happens if your PC takes a startling soil rest? I figure in the event that its clould based your data is still there yet imagine a scenario where you some way or another lose that encrption key because of your PC passing on. I know you'll say simply keep a go down on a thumbdrive or something however suppose it is possible that http://goo.gl/N8jJsR

    ReplyDelete
  59. While I see concerns and complaints above, I have to say thanks so much for taking on the risk of helping your users determine what accounts are at risk. I've had no notice from any of the companies directly telling me about the security flaw on their site (notable exception was IFTTT). Thank you so much for giving me a starting point in dealing with this concern. You will undoubtedly refine your tool and be able to react to future concerns better and better. THIS is why I will remain a premium member.

    ReplyDelete
  60. As mentioned by others, the tool is poorly designed and implemented.

    1) Older versions of openssl (which are not vulnerable) cause false positives, which are very misleading for non technical people

    2) The user interface is also not helping. For instance, "Vulnerable: Likely" sounds like a bad thing for non-technical people. Still, you may have that message in case of false positives.

    2) "Updated Cert" indication is absolutely pointless, unless you're 100% sure that the website was vulnerable at one point in time. A real-life example: thanks to your poorly designed tool, I've got inquires from many customers on my certificate...which is deployed on a machine that it's NEVER been vulnerable to HeartBleed.

    LastPass is a great product. Please, leave security research to others.

    Thanks,
    Luca

    ReplyDelete
  61. The programmer of heartbleed bug has revealed him self and he said heart bleed was an accident.

    ReplyDelete
  62. I would love to see Lastpass develop a way to automatically log in and generate a new password automatically.. some kind of script that gets created each time you sign up for a site. Then you can run the option to pick specific sites or all of them and let Lastpass go at it. Come back some time later to see if you have an email telling you which sites were successfully changed and which ones had problems.

    ReplyDelete
  63. I truly feel like the $12 /year isn't enough for the value I continue to get from this. Thank you for staying on top of this!

    ReplyDelete
  64. I don't think the HeartBleed checker tests the vulnerability of the site. I think what it just does is look at the Server Software and provides the assessment which is totally wrong. The server may/may not be using OpenSSL and may not be vulnerable at all. Basically, the Assessment is not guaranteed to be valid!!!! In a lot of cases this could just scare people when the actual site may not even be vulnerable.

    ReplyDelete
    Replies
    1. We are checking not only for current status, but likelihood that the server could have been affected in the last two years. Saying it's safe now doesn't account for that risk. We continue to refine the tool and appreciate any reports of discrepancies.

      Delete
    2. Likelihood? How can you test if a system WAS vulnerable if its now patched?? Your checker states I am vulnerable yet I am using 0.9.8 version which has NEVER been vulnerable. That therefore calls the accuaracy of your checker into question. Even if I upgrade to 1.0.1g today then my site has still ALWAYS been safe but your tool would cause doubts in my users minds. If anything, your tool would be equivalent of slander in real life. Your tool is in essence giving my site a bad review based on flawed data. You said yourself that your site had the vulnerability but data was encrypted inside the SSL layer. What if my site did the same? Does that mean im not vulnerable? You need to release your code for your checker so that we can check it is acurrate. That is the ONLY way we can be sure your not just making up the results!

      Delete
  65.  Update to OpenSSL to 1.0.1 for all the websites.
     Revoke Certificates on the Impacted Systems
     Recompile through this option – “- -DOPENSSL_NO_HEARTBEATS”
     The old keys may have been compromised and new keys should be created before generating new CSRs and requesting new SSL certificates
     Issue new Certificates for Newly created Keys
     Install and verify new keys and Certificates
     Change Usernames and passwords
     Any Website can be checked in this site if it is already impacted by Heartbleed vulnerability - https://lastpass.com/heartbleed/

     IDS signatures to be deployed for detection

     Users should not use the “Keep me logged in” option on the Internet sites such as Banking and online shopping sites.
     Internet site such as Gmail and facebook does not seem to be safe till they upgrade their website and users are recommended to change their passwords.

    ReplyDelete
  66. This comment has been removed by the author.

    ReplyDelete
  67. Amber, can you explain the following to me? I do the security check and it says only 4 websites to take action on. However, when I go here https://lastpass.com/heartbleed/ and check specific other sites I have passwords for (in my lastpass vault) it says they are vulnerable. Which should I believe?

    Thanks!

    ReplyDelete
    Replies
    1. On LastPass.com/heartbleed we're showing the full range of possibilities, so you'll see results that are "likely" - on the security check results, we're only showing the sites that are known to have been affected.

      Delete
  68. Hi, our server never used a version of OpenSSL which was vulnerable but shows as being "likely" to have been vulnerable in your checker. Some of our clients' customers have been using your checker to see if their websites are safe and are now convinced they are not. How can we ensure that the checker does not show a false positive for us?

    ReplyDelete
    Replies
    1. Hi Heather: Please reach out to security[at]lastpass.com with details, we're happy to look into this and update.

      Delete
  69. Just changed my netflix password because it was on the list. Now it shows that it was changed 3 minutes ago but I still need to update it.

    ReplyDelete
    Replies
    1. Did you re-run the Security Check again as well?

      Delete
    2. Same for me, but for facebook.com and google.com. "Age of Password" is about 30 minutes, but "Action" is still "Go update!", after having just updated...

      Delete
    3. Oh, and yes, this is after re-running the Security Check

      Delete
  70. You state: "Below is a list of impacted sites you have in your vault." Can the Heartbleed bug switch vault lists? In this list, there are 23 sites and only one of these is in my vault (my yahoo mail account). Could you, please, give further explanation about this?
    I thank you very much.
    Jacques Maurissen

    ReplyDelete
    Replies
    1. Apologies for the confusion, the list above was just an example - it only shows the results that are relevant to you when you run it (ie, based on what it reads as being stored in your vault). Does that clarify?

      Delete
    2. Yes, it does. Thanks so much, Amber!

      Delete
  71. Here is the issue I see. While yes, the PASSWORDS may be secure, your private key could have been exposed. In that event, an attacker could masuerade using your key.

    ReplyDelete
  72. I'm on Google Chrome, and I can't get on either Fanfiction.net or Mobile Fanfiction.net! Whenever I try to access the homepage, a fanfic or an author's profile, it says "Something is interfering with your secure connection to www.fanfiction.net", and the server's certificate is invalid.
    And I tried deleting the cookies on my browser, but it STILL doesn't work.

    ReplyDelete
  73. When I click on "go update" I get to the site but don't know what to do at that time. Nothing tells me what or how to update.

    ReplyDelete
  74. The security check listed several sites with updated cert's I click on the "Go Update!", it opens a new tab to that site. Now what??? How do I update the certificate so I can rerun the security check to verify the all clear.

    ReplyDelete
  75. I noticed Facebook popped up on the Heartbleed section of the Security Check today, showing my password(s) as being a few months old and Facebook's Cert as having updated 1 month ago (an odd figure in itself but what the hey).

    I've changed my password(s) and refreshed the Security Check several times in the last few minutes but it's still showing as "Go Update!" for Facebook even though it knows my passwords were changed 14 minutes ago.

    Is this something I should be concerned about or should I just give it time for the various databases to sync? The tool has worked flawlessly on all other "Go Update!" sites so far.

    ReplyDelete
    Replies
    1. I have experienced the exact same thing with Facebook and with Google. I'll be interested in the answer you get on this

      Delete
    2. Well as of 9am this morning UK time (about 10-11 hours after I first posted) Facebook is now showing as safe. I can only guess LastPass' systems are being slammed by requests and it's taking a bit of time for changes to reflect.

      Top marks for implementing this by the way, LastPass. It may not be 100% accurate as detractors insist on repeating ad nauseam but it's been one hell of a time saver and confidence booster when used in conjunction with a sensible credential management policy. I already considered the Premium account to be well worth the pittance I pay for it but it's increased its value by orders of magnitude in the past few days. Thank you.

      Delete
  76. Same problem here: Updated Password but under action still says "Go update

    Site Age of Password Updated Cert? Action
    dropbox.com 19 hours YES (1 day ago) You are safe!
    yahoo.com 21 hours YES (3 days ago) You are safe!
    google.com 35 minutes YES (1 week ago) Go update!
    usaa.com 1 hour YES (1 year ago) Go update!

    ReplyDelete
  77. False Negatives!!

    Your tool is listing usaa.com as "SSL Certificate: Now Safe" but when I went to the site and checked their certificate, its still the same one that they had issued a year ago - they haven't gotten a new one. That means the cert is potentially compromised.

    So what's up with your tool? False negative for a financial site is far worse than a false positive!!

    ReplyDelete
  78. One of the better decisions I've in past years was to get LastPass - well worth the funds. Many thanks for this and security notices. Well done!

    ReplyDelete
  79. PS: I also have same issues with Google and Facebook despite changing passwords - still says Go Update

    ReplyDelete
  80. I, too, am a paying customer who cannot access anything but the Security Challenge. I have cleared everything I can clear and still no results. I can't get to whatever evaluates whether I have an issue with the Heartbleed thing. I have a gazillion passwords stored in Lastpass and no way to discover which, if any, I should be paying attention to. Any advice for me?

    ReplyDelete
  81. I click the Lastpass icon, click tools, click security check, and all I get is the security challenge that evaluates the strength of my passwords. nothing like the chart listed in the beginning of this blog. As I said above, I have cleared the cache from Lastpass and the cache, history and cookies from Chrome, and still I get nothing.

    ReplyDelete
  82. Thanks dear Blog members

    Yes i got alert to sites affected by Heartbleed. I have updated Things. Its very important to keep updating Your Passwords after every 90 Days. this is what i would believe.

    ReplyDelete
  83. Thanks for all the work, Lastpass team. Finally feeling happy that I decided to go premium with you and not some other service.
    Has been a very nice experience so far :)

    ReplyDelete
  84. Thank you so much for adding the Heartbleed check to the Security Challenge! After reading these posts, I realize it isn't perfect, but it helped me feel more secure and I trust LP to be tweaking so that it is even better. Great Job!

    ReplyDelete
  85. Hello Lastpass,
    There is a bug with "The LastPass Security Challenge":
    I know for a fact that 3 of my emails have been compromised in the Adobe leak (Cred file) when checking with Lastpass security check, none of them are spotted.

    ReplyDelete
  86. I had also seen this on the news in my area.

    ReplyDelete
  87. I'm looking at the email I just received about the Heartbleed thing and the various postings (aka drama) how this check incorrectly does something against a specific server or something, then thought if these people were really security pros they should be encouraging people to use complex passwords and change them often. They should be building better systems to allow for people to change their passwords easily instead of criticizing the work of others. I really like what Lastpass does for the average user, at least it's something. So I guess it's easier to take potshots on a group that did something then actually looking at the OpenSource code and finding the bug yourself. Keep up the great job LastPass team!

    The only thing I found questionable in the email was at the bottom, where it said after the address of LastPass...
    "This email was sent to erin@lastpass.com."

    I'm definitely not erin. It raised a reddish color flag, but could just be an oversight in communication.

    ReplyDelete
  88. "... LastPass Security Check (click on your LastPass browser icon, select Tools menu, select Security Check) ..." does not work in Chrome on Mac OS because there is no Tools menu. If I log in from there I get to a "security challenge" that is not the same as the "security check." It does work in Firefox because there I get a Tools menu. LastPass, somewhere you have a flaw.

    And I can't publish this from OmniWeb because I'm not given any profiles to choose from. I'm posting this from Firefox.

    ReplyDelete
    Replies
    1. Sorry, got it mixed up. Firefox correctly goes to the Security Challenge. Logging in from Chrome never gets there, it only led me to this page, and this page doesn't link (in any way I can see) to the Security Challenge. Instead it gives the same non-working instructions as are in the email.

      Delete
  89. Seriously, this is OLD news. Anything with the prefix "Open" is generally easy to exploit. Having said that, most encryption used today is completely unworthy of the word "secure".

    ReplyDelete
  90. When I click on "Go Update", nothing happens....

    ReplyDelete
  91. PasswordBox is better than LastPass.

    ReplyDelete