Jun 6, 2014

Your LastPass Account Is Safe From the New OpenSSL Vulnerability

About 2 months after the discovery of Heartbleed, more OpenSSL vulnerabilities have now been announced. Though organizations should patch their servers, security experts have stated the latest flaws are not nearly as bad as Heartbleed.

The most critical of the new OpenSSL vulnerabilities is known as an “Injection Vulnerability”. If exploited, this flaw could result in a “man-in-the-middle attack”. Essentially, this means someone positioned on the network between your computer and a server could eavesdrop or alter encrypted data traffic. In theory, sensitive information such as email addresses, passwords, and credit card information could be at risk.

So does this impact LastPass?


In regards to LastPass, please note:

  • Your data stored in LastPass is not affected by this bug
  • Your master password is never shared with LastPass
  • Your vault is encrypted with AES 256-bit encryption before being sent to LastPass over SSL
  • Our servers’ SSL libraries have been updated with the latest fixes
  • You can use LastPass' tool to also identify affected sites: https://lastpass.com/opensslccs/

What should I do?


Although the threat is small, if you have used open or untrusted WiFi, we recommend updating the passwords for any online accounts you may have accessed at that time. LastPass will help you update the password to a new, generated one.

We recommend that users continue to exercise caution on untrusted networks, most notably on public WiFi, and remove WiFi networks from their devices that they no longer need or trust. Most other websites do not encrypt data before transmission like LastPass, and so there may be a risk of exposure to the OpenSSL flaws on other websites over public WiFi.

We will continue to update our community of any developments in the situation.

The LastPass Team

7 comments:

  1. Actually, I believe this would affect LastPass. Couldn't an attacker, if they can decrypt SSL data, modify the JavaScript and deliver code to the client browser that could siphon off the user's master password to the attacker?

    ReplyDelete
    Replies
    1. Hi John: We can understand the concern, we had addressed this previously with regards to Heartbleed: http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html?showComment=1396972091564#c1082448276788852931 - please take a look at our CEO's responses and let us know if we can clarify any further.

      Delete
    2. The response given during the Heartbleed incident was:

      "We tell our customers to prefer logging into the extensions -- and that's exactly what the vast majority of our users do -- even if somehow someone implemented a MITM proxy, they'd also need a potential victim to utilize the website to login rather than the extension -- the extensions themselves couldn't be replaced as those are all cryptographically signed.

      The extensions do not utilize javascript from the website, it's built into the extension."

      While this is good advice, the problem is that all account functions cannot be performed in the extension, and you get driven to the main website to perform them. If LastPass made it possible to never have to log into the website, because you could do everything you need to do in the extension, it would be a lot safer.

      Please, consider devoting resources to making the extensions feature-complete.

      Delete
  2. "><img src=x onerror=prompt(document.domain);&gt

    ReplyDelete
  3. "><img src=x onerror=prompt(document.domain);>

    ReplyDelete
  4. One question I've had concerning Lastpass is that when I use my master pw to log in to Lastpass, how is my vault protected from hackers, should they gain access to my computer? Once the program is open, what keeps hackers from seeing it? Even though all of the passwords are encrypted, the "show" or "hide" options are there and can show the passwords. Am I missing something?

    ReplyDelete
  5. Thanks a lot for sharing this with all folks you really recognize what you are talking about.

    Picreel

    ReplyDelete