Incident Report: March 31, 2017 (8:10 PM)
On Saturday, March 25th, security researcher Tavis Ormandy from Google’s Project Zero reported a security finding related to the LastPass browser extensions. In the last 24 hours, we’ve released an update which we believe fixes the reported vulnerability in all browsers and have verified this with Tavis himself.
Most users will be updated automatically. Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at https://www.lastpass.com/.
Now that the issue is resolved, we want to provide a postmortem to our community on what the report entailed and how we are building a better, more secure LastPass going forward. Please note, due to the nature of the vulnerability, this postmortem is highly technical.
- This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension
- Exploiting required luring a user to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware
- This requires a per-user attack that must be executed through the user’s local browser
- All extensions have now been updated with the fix and submitted to the extension stores
- Our mobile apps for Android, iOS, and Windows Phones were not affected
- All of your LastPass browser extensions should be updated to version 4.1.44 or higher
- Check the LastPass extension icon > More options > About LastPass for your version number
- Most users should be updated automatically, but the latest versions can always be downloaded at https://www.lastpass.com/
- Uninstalling is not required to download the updated version
“Isolated worlds” and Trusted Pages
Fixing the issue
Immediately after we received the full report, a cross-functional response team investigated and validated the findings. It was clear that addressing the issues would require a significant change to our browser extensions. This was not a simple patch, and required a thoughtful, thorough fix. Those changes then needed to be applied and tested across all affected extensions.
In short: Comprehensively addressing this report required a significant amount of effort and our team worked around the clock to complete the fixes in a short period of time.
To fix, we addressed variable handling and added the Proxy object to the outer scope of the content script, acting as a “sandbox” to prevent externally-supplied window properties from being read within the content script. To further mitigate RCE, we put in place restrictions on the types of attachments that the extension can launch and limited the available extension APIs.
We worked directly with Google’s Project Zero to verify that our fixes were comprehensive. Once the fix was ready for all affected extensions, we were able to have them reviewed by all stores and pushed to users very quickly. We want to thank our partners at Apple, Google, Microsoft, Mozilla, Opera, Yandex and others who fast-tracked our extension review and release.
We strongly urge other extension developers to look for this pattern in their code and ensure they are not vulnerable.
We’re in the business of password management; security is and always will be our top priority. We greatly appreciate the work of the security community who challenges our product and works with our teams to ensure we’re delivering a secure service for our users. As a market leader, we get the best of the best testing LastPass and in return our software and our customers benefit.
In an effort to maintain the highest level of security, we will continue to partner with white-hat security researchers and provide incentives to participate in our bug bounty program (https://bugcrowd.com/lastpass). Stay tuned for more to come on this.
The LastPass Team
March 27, 2017 (7:10 PM)
Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.
In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.
- Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
- Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
- Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.
We’ll provide further updates on the patch once complete.