Early this week, a team of researchers discovered a major security flaw, dubbed FREAK, that jeopardizes secure web connections and could potentially expose sensitive information. While LastPass was not affected by the vulnerability, it’s critical that LastPass users update their browsers with patches as soon as they’re available. Here’s what you need to know:
What is the FREAK flaw?
The FREAK flaw affects SSL/TLS, the protocol that creates a secure connection between you and a website. The secure connection is created when you connect with HTTPS and have a padlock in your browser address bar. That “lock” means that your personal data is encrypted when it’s sent to the website.
FREAK, however, can be exploited with a man-in-the-middle attack. According to
freakattack.com, “It allows an attacker to intercept HTTPS connections between vulnerable clients [devices] and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.”
The FREAK flaw affects most major browsers:
- Internet Explorer
- Chrome on Android and Mac OS - Patch available on Mac OS
- Safari on Mac OS and iOS - Patch expected next week
- Stock Android Browser
- BlackBerry Browser
- Opera (Mac OS, Linux)
You can check if your device or browser is vulnerable by visiting
https://freakattack.com. They’ve also provided a list of
Alexa’s top domains that were affected by FREAK.
How does this affect LastPass?
LastPass users are safe. Our servers were not vulnerable to the FREAK flaw. As always, your LastPass vault is safe, and your master password is never transmitted. LastPass also always encrypts data locally with AES-256 before securely syncing it. Vulnerabilities like this are exactly why we never transmit your master password.
For those using the built-in browsers on LastPass’ mobile apps, they use the platform’s default browsers, which are known to be affected. Our built-in browsers will be updated when those platforms issue a fix. In the meantime, you can browse securely with Firefox mobile.
Communication between our mobile apps themselves and our servers are not vulnerable, meaning it is not possible to intercept your vault data going to and from our servers on those mobile devices.
Actions you should take:
Update with all patches when available. Microsoft, Apple, and Google will all be releasing patches within the next few days, so it’s critical to update your system when those patches are available.
Use Firefox to browse securely. Until patches are available for the above affected browsers, you may want to use Firefox on iOS, Android, and Mac OS to securely browse the web and connect to your online accounts.
Replace vulnerable passwords. Though it’s unlikely that you were attacked, as devices and websites are patched it may be a good time to change the passwords to any accounts accessed on any of your devices shown to be vulnerable. You can also use the
LastPass Security Challenge to review the strength of your passwords. Our
Auto-Password Change feature will also help you replace passwords automatically. It's important to use a different, strong password on every website, so that a password stolen from one website can't be used to login to any of your other accounts.
As always, we'll monitor the situation as it unfolds and update our community as needed.
