Jul 11, 2014

A Note from LastPass

LastPass is in part able to achieve the highest level of security for our users by looking to our community to challenge our technology.

In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP.

Zhiwei only tested these exploits on dummy accounts at LastPass and we don't have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it.

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.

Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data. If you’d like to check your current OTPs you can do so here: https://lastpass.com/otp.php

We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research.

Regards,
Joe & The LastPass Team

30 comments:

  1. I still think that opening the source (not giving it away but giving it to people to read with "read only" kinda licence - we don't want to put You out of business - we want to be able to inspect the code and suggest patches / better solutions) would bring more users to Lastpass simply because all the quirks (and potential trust issues) would be removed...

    I am not saying do it or I will stop using Lastpass - You will always have my $12 (unless I will find out that my passwords are not secure with You). I am saying - do it and more people will start using Lastpass...

    Think about it.

    Kind regards.

    Andrzej

    ReplyDelete
    Replies
    1. See http://blog.tinisles.com/2010/01/should-you-trust-lastpass-com/

      Delete
  2. Thanks for the disclosure! :)

    ReplyDelete
  3. "...we let them publish their research before discussing it"

    UC Berkeley don't need permission from LastPass to publish their own research.

    ReplyDelete
    Replies
    1. I think you're misinterpreting that quote. It's equivalent to, "We refrained from discussing their research until after it was published."

      Delete
    2. Thanks for clarifying

      Delete
    3. The quote says something esle what Nathan explained. But even if it was the way you thought originally, you would be wrong. They do if the research is a cooperation and done on LastPass data. It must be clearly stated before you start. It is the main reason why drugs have so little negative research. It is paid for and controlled my Pharma industry, even if University does it. And Universities are always out of money, that sadly also goes for great institutes like Berkley.

      Delete
    4. no, the phrase is grammatically ambiguous, and Nathan's reading is one of several perfectly adequate parsings of it. reading the context, his is the reading that makes sense. "we let" is modifying "before discussing," not "them publish."

      Delete
  4. So are the extensions used by browsers like Mercury on IOS bookmarklets which were vulnerable...or something else?

    ReplyDelete
  5. Do you guys post records of security audits you had performed on your code by third party firms?

    ReplyDelete
  6. This is awful. Not something I want to hear from the website which I trust with all my life information.

    ReplyDelete
  7. Does this mean users should remove any existing bookmarklets and install the latest versions from LastPass?

    ReplyDelete
    Replies
    1. JavaScript has so many vulnerabilities so this is no surprise.
      What is a surprise is that even though LP claims only 1% of users are using bookmarklets, they're still available as what was until recently (at least for android) the only way to use LP without copying and pasting from the vault. iOS still requires bookmarklets and even if the 1% figure is correct! all it'd take is to click "add bookmarklets" since it automatically pastes the JavaScript to the clipboard!
      As for OTPs, the advice is "click this link to check your OTPs" like its a solution.
      I have one final gripe: LP says they have no evidence any accounts except for the dummy accounts from the study were effected. I sincerely doubt 1) they would know which accounts were effected and 2) any compromised accounts would be accessed in such a way hackers would draw attention to the fact (why wouldn't the hacker quietly access a customer's ENTIRE password details and keep evidence hidden so as to continue accessing the account for times when passwords change?)
      If a hacker has the key to your LP, they probably have your email info took so there's absolutely nothing stopping a hacker getting the login email is there?
      Until I hear some sort of security audit by an independent third party has checked LP I'm done using it. It's cost me nearly $400 in lost bitcoins due to their "we're not effected by HeartBleed, whoops, we are effected" bull crap and I'm done risking all my info for a company so incompetent and reactive.

      LAST PASS, be proactive for once and fix the damned security bugs, not to mention functional bugs.

      This is a university nice enough to tell you of gaping security holes.... Without an audit I can't trust you know with my life/privacy.

      Delete
    2. Anonymous,

      You could not be more wrong about everything you said above!
      What you are doing is spreading FUD!

      Any vulnerability that javascript has are fixed faster than virtually any other platform!

      Problem that affected bookmarklets HAVE BEEN FIXED ALMOST A YEAR AGO! Obviously they are going to be available, because there's nothing wrong with bookmarklets.

      Yes, it is a solution for OTP! You disable existing ones and generate new ones! It is a perfect solution to prevent leaked OTP!

      1)They know which accounts could have been affected because they have access logs from their servers and they know what pattern to search for.
      2)If you are worried you should expire all existing sessions and change your master password and any relevant affected passwords.

      If you know anything about security, one of the very things every says it to periodically change your password! Why aren't you doing this?!

      What login email are you talking about about?! LastPass does not send out password reset emails!

      There have been security audit done before! Read my link posted above! LastPass is written in fucking javascript! Any halfassed money can read through it, compare what's being sent over the wire to what's being generated by your own javascript code and see that it's identical!
      You did not lose $400 in bitcoins because of lastpass! You are a liar and a drama queen! gtfo!

      Delete
  8. What exactly are bookmarklets? Lastpass says only a small amount of users use them - It's not the bookmarks we save in our vaults or is it?

    ReplyDelete
    Replies
    1. See https://en.wikipedia.org/wiki/Bookmarklet
      In LastPass' case these are special bookmarks created for platforms that don't support full application/plug integration to automatically fill in your login info(such as iOS or browser where you don't want to install lastpass plugin).

      It is not bookmarks you save in your vault.

      Delete
  9. Hello,

    I am a paying customer and I find this disquieting. I am not going to jump ship but your total value proposition (to me) is to prevent stuff like this from happening.

    I appreciate you blogging about this (but also realize you had no choice since the information was not yours to keep a lid on) but I would much rather hear about what you are doing to proactively prevent this from ever happening again (external code review, automatic code checkers, etc).

    Cheers,
    Rasmus

    ReplyDelete
  10. I am very worried about this.
    Last Pass is turning into a honey pot for hackers that want to steal money with the victim not even knowing it.
    Tighten up your security and get more involvement from your community.
    Proprietary software in a nutshell.

    ReplyDelete
    Replies
    1. I'm not dumping Lastpass that's for sure. This whole issue that was fixed already was discussed on GRC's Security Now podcast #464 on Youtube/TwitTV and GRC's website. For those wondering about this or concerned, Next weeks podcast #465 on Tuesday July 22nd will be revisiting password managers and talking about Lastpass. Security Now is on Tuesdays, 1:00 p.m. Pacific, 4:00 p.m. Eastern time, 2000 UTC.

      Delete
  11. I'bve been a paying customer since LastPass offered a Premium option. I find these revelations disturbing. Even more disturbing is that this blog post seems focused on minimizing the significance -- even the title "A Note from LastPass" seems designed to avoid raising concerns.

    I agree with other posters that LastPass needs to do more to reassure its customers regarding the security of the product, whether by opening up parts of the code, commissioning and publishing independent security assessments, and/or being more open about its internal security practices.

    In the meantime, I'm in the market for a new password manager.

    ReplyDelete
    Replies
    1. I'm not suggesting to treat this issue lightly... Just would like to point out that the other options out there may or may not be better... See arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse for some issues uncovered in some other password managers.

      Delete
    2. LastPass should definitely be more forthcoming, but your new password manager is going to be vulnerable too. All software is vulnerable, has bugs and security holes. The question has never been "do bugs exist" (they do), the question is, are they dealing with them as quickly as they can and responsibly disclosing? Yes, they are. Keep looking for unicorns if you like, but you're going to keep on being disillusioned about broken software for the rest of your life, because everything is broken:
      https://medium.com/message/81e5f33a24e1

      And opening the source doesn't guarantee anything, especially not security. Just look at Heartbleed, a basic mistake that had been hanging around for YEARS and nobody even noticed. Software security isn't about perfection, it's about risk mitigation.

      Delete
  12. http://askleo.com/is-lastpass-still-secure/

    "Rather than say nothing at all, LastPass chose to be open about the discovery. I don’t want panicked over-reaction to punish them for doing the right thing."

    ReplyDelete
  13. LastPass' reaction to these vulnerabilities is disturbing. The line being fed to users is basically: "LastPass is bulletproof." When vulnerabilities like this are discovered, the response is to play it down. I don't think the potential for 1% of users, or even one user, to have their entire vault compromised is a minor risk.

    That said, all software is part of a living ecosystem. Vulnerabilities will always exist, and new ones will always continue to surface. What's disturbing here is that LastPass has not done any root cause analysis into these bugs, or published any substantive information as to how they are going to improve their security measures. Independent security audits? Penetration testing? What are you guys actually doing to keep our data safe?

    ReplyDelete
    Replies
    1. We do appreciate the feedback from our users, thank you for voicing your concerns. As we noted, these discoveries were reported to us about a year ago and were immediately fixed. The attacks were novel and valid - and also orchestrated in a targeted manner. A malicious person had to have tricked you into visiting evil.com and then must specifically have known your LastPass username to execute the attack. Further, if they managed to do this, they still wouldn't have any plaintext data and would instead have to try to brute-force your master password to try to obtain actual data. These were server-side attacks, so our response reflects that.

      We do have regular independent penetration tests and security audits, and we work closely with independent security researchers. We also actively engage and solicit the security community and are on sites like bugcrowd.com.

      Thank you again for the input and please let us know if we can be of further help.

      Delete
  14. Actually, one of the attacks published would have allowed a malicious or compromised website to decrypt your passwords for any and all sites stored in LastPass (http://devd.me/papers/pwdmgr-usenix14.pdf). Publishing misinformation about the severity of the vulnerability is an example of exactly the lack of transparency I find disturbing.

    In the spirit of constructive criticism: LastPass' value proposition is compelling if it is more convenient AND less risky than managing passwords in other ways. You should be asking yourselves, "How can we better mitigate risks, and how can we make a realistic, trustable risk assessment available to our users." I still believe it is less risky than a policy of using the same password on all websites, for example, but you aren't making it easy for me to justify that.

    As a customer, I have to choose to trust statements like "we work closely with independent security researchers," rather than getting to see those reports myself. Instead, what I want is transparency into your security and auditing processes. How are audits conducted? By whom? How often? Can I see the results? How do they compare to other companies' results?

    This is something that will benefit you as a company, and me as a customer. It works on the same "show me, don't tell me" principle of open source code. Look at any regulated industry for examples. Does the FDA take a drug company's word for it, or do they require detailed audit trails?

    ReplyDelete
    Replies
    1. So, you want to blame LastPass for (rather stupid) users going to malicious websites, and then claim these mailicious or compromised websites offer those sites to a targeted user only (there is no other way, if you read the attacks' 101), those sites know the username of the LastPass user (which can be changed and made up to be as hard to guess as a password), and then hope and pray they can login without lastpass informing the user about suspicious logins, or lastpass noticing physically separated logins to one account at one time? Honestly, wake up. It's more likely to be hit by lightning. First, try lastpass, go through its config and make sure you know what you're doing.

      Delete
  15. I'm not dumping Lastpass that's for sure. This whole issue that was fixed already was discussed on GRC's Security Now podcast #464 on Youtube/TwitTV and GRC's website. For those wondering about this or concerned, Next weeks podcast #465 on Tuesday July 22nd will be revisiting password managers and talking about Lastpass. Security Now is on Tuesdays, 1:00 p.m. Pacific, 4:00 p.m. Eastern time, 2000 UTC.

    ReplyDelete
  16. Good Lord how I hate this thing!!!!! I followed the instructions. It said it imported everything and I could delete it. I did. I have no passwords and the reason for signing up for this is I lost my password book. But Chrome remembered most of them. Now they are gone. I couldn't even get to my e-mail. But it says it will automatically enter any site I use, so I set out to set passwords one by one and does it save a single ONE. No it does not. All it does is ask me to sign in to my vault. I must have entered that password 20 times in the past hour. Life was much better without it and I should have started a new book. Today would not be a good day to see the person who suggested this disaster. Maybe better instructions for those of us who are not techs.

    ReplyDelete
    Replies
    1. Hi Patsy: We're sorry to hear of the trouble with LastPass. It sounds like it's either not installed in the browser or you're not logged in with your account. Are you able to click the LastPass * button in the browser toolbar to login, then try going to your sites? If problems continue please get in touch with our team here: https://lastpass.com/supportticket.php - we're happy to help.

      Delete