Update March 25, 2017 (5:00pm): Our team is currently investigating a new report by Tavis Ormandy and will update our community when we have more details. Thank you.
Incident Report: March 22nd, 2017 (2:30pm)
We want to provide an update to our community on the vulnerabilities recently reported by Tavis Ormandy, a security researcher on Google’s Project Zero team.
This is a long post, so you can get the need-to-know highlights in the overview, or dig into the details in the comprehensive summary below.
Overview
- Two vulnerabilities were recently identified by security researcher Tavis Ormandy
- Our investigation to date has not indicated that any sensitive user data was lost or compromised
- All extensions have been patched and are being re-released to users
- Our mobile apps for Android and iOS were not affected
- No master password change is required
- No site credential passwords need to be changed
- Ensure you are running the latest versions
- Most users will update automatically but the latest versions can always be downloaded from lastpass.com/download
- Please check the LastPass Icon > More options > About LastPass to check your version
- Firefox: 4.1.36
- Chrome: 4.1.43
- Edge: 4.1.30 (pending approval by Microsoft)
- Opera: 4.1.28 (pending approval by Opera)
What happened
Tavis Ormandy, a researcher at Google’s Project Zero, reported two vulnerabilities to our team over the past week that affected many LastPass browser extensions. The reported issues affected both personal and business users.
To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.
Firefox 3.3.2 message-hijacking bug
What was reported:
Based on our URL parsing process in Firefox 3.3.2, malicious websites could spoof legitimate websites and fool the LastPass add-on into providing user site credentials.
This bug was
reported to our team last year and fixed at that time. However, the fix was not pushed down to our legacy Firefox 3.3.x branch; this branch has been scheduled for formal retirement in April.
What you need to know:
Website connector bug
What was reported:
An issue with the architecture for a consumer onboarding feature affected clients on which that code appeared (Chrome, Firefox, Edge). A malicious website could trick LastPass by masking as a trusted party and steal site credentials. Users running the LastPass binary component (less than 10% of LastPass userbase) were further susceptible to remote exploit when lured to a malicious website.
The bug was first introduced in August 2016 when we released this experimental onboarding feature to our consumer users. The code, however, does live in all Chrome, Firefox, and Edge LastPass clients.
Upon notification of the vulnerability, the LastPass team immediately shut down the vulnerable service, and began work to update all affected clients.
While working on our client-side fix, Tavis tweeted (since deleted) about an additional issue. To clarify, this was the same issue across two distinct browsers. This caused some confusion around volume of issues and status of fixes.
What you need to know:
- We have submitted updates to all affected clients to fully remove this vulnerability and re-released to all users.
- Chrome and Firefox are live now, while Edge and Opera are awaiting app store approval.
- As a part of that process, we conducted an exhaustive analysis of every other extension (as well as our installers) that leverage this code.
Full Timeline (Eastern US):
Firefox 3.3.2 message-hijacking bug
- March 10th: LastPass announces formal deprecation of Firefox 3.3.x versions
- March 15th 10:45pm: Firefox 3.3.2 message-hijacking vulnerability announced
- March 15th 10:48pm: LastPass receives details of Firefox 3.3.2 bug and launches investigation
- March 17th 8:43am: LastPass submits a patch to Mozilla with Firefox 3.3.4
Website connector bug
- March 20th 7:20pm: Chrome 4.1.42 website connector bug announced
- March 20th 7:36pm: LastPass cross-functional security investigation launched
- March 21st 12:15am: LastPass shuts down offending service server-side
- March 21st 7:04am: LastPass announces server-side workaround in place while we thoroughly analyze code and fully resolve client-side issues
- March 22nd 12:10am: LastPass releases Firefox 4.1.36 with fix
- March 22nd 12:07pm: LastPass releases Chrome 4.1.43 with fix
- March 22nd 1:55pm: LastPass submits Edge 4.1.30 for release
- March 22nd 2:49pm: LastPass releases Opera 4.1.28 with fix at LastPass.com/download; store pending release
Reminders on Personal Security Best Practices
We know LastPass users try to follow best practices, but these are always good reminders of how to protect your own machine and keep your data safe:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Use a different, unique password for every online account.
- Use a strong, secure master password for your LastPass account that you never disclose to anyone, including us.
- Turn on two-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Keep a clean machine by running antivirus and keeping your software up-to-date.
Looking Ahead
To prevent these issues in the future, we are reviewing and strengthening our code review and security processes in place today, particularly around new and experimental features.
It goes without saying that security is fundamental to what we do. We strive for transparency in responding to these issues. We greatly value the work that Tavis, Project Zero, and other white-hat researchers provide. We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention. We welcome contributions from all researchers via our bug bounty program at
https://bugcrowd.com/lastpass.
----------
March 22nd, 2017 (11:12am)
Over the past week, we have worked with Google security researcher Tavis Ormandy to investigate and fix reported vulnerabilities. We apologize for the delayed response as we’ve been conducting a thorough investigation on these reports in an effort to provide as much detail to you as possible. While we will soon be providing a postmortem, we wanted to share a quick summary for our community.
What Happened
On the night of March 20th, we received a report of an issue in our Chrome 4.1.42.80 extension. We immediately investigated and released a server-side workaround within a few hours. The exploit applied to all LastPass clients - Chrome, Firefox, Edge - in which an experimental user onboarding feature was released.
Later on March 21st, another report came in related to Firefox 4.1.35a. In fact, this vulnerability is largely the same as the one reported the prior day, and affecting the 4.x Firefox addon. While this issue would have been addressed by our full fix to follow our workaround, this report was received before this could be released. We issued an update, Firefox 4.1.36a, around 12:15am ET today to specifically address that report.
The fixes are being pushed to all users and most should be updated automatically.
We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm. We will soon provide a more comprehensive summary of the events and what our community needs to know. No password changes are required of users at this time.