When we launched the LastPass bug bounty program in 2013, we set out with the goal of building a better, stronger solution for our customers. As an industry best practice, a well-run bug bounty program helps us maintain a strong security posture. This allows us to crowdsource cyber security knowledge from some of the best in the field and is just one of the many ways we put LastPass’ security measures to the test. We believe incentivizing top researchers benefits the product, and, ultimately, our customers.
Today we wanted to share a few recent product improvements that are now live, as a result of the bug bounty program.
The Security Reports
The first three updates are a result of working with Wladimir Palant, a security researcher and developer who has previously collaborated with the LastPass team on security improvements. The last update came from researcher Ryan Pickern who also submitted the report to our Bugcrowd platform.
#1 Increasing client-side PBKDF2 to 100,100 rounds
The report: In a report earlier this year, Wladimir demonstrated a potential vulnerability that may allow an attacker to brute-force the user’s master password through the encrypted RSA sharing key. Users with weak master passwords (dictionary-based, reused, or short passwords) may be at risk in this scenario. As always, our advice to users is to create a long, passphrase master password and enable multi-factor authentication on your LastPass account. Long and complex master passwords significantly raise the amount of effort required for brute-forcing (see zxcvbn blog about password strength and complexity).
The fix: We increased the number of PBKDF2 iterations we use to generate the vault encryption key to 100,100. The default for new users was changed in February 2018 and we are in the process of automatically migrating all existing LastPass users to the new default. No further user action is needed. If you want to be upgraded now, simply log in to your LastPass account on lastpass.com.
We continue to recommend that users do not reuse their master password anywhere and follow our guidance to use a strong master password that is going to be difficult to brute-force.
#2 Protecting sensitive data
The report: When logged in to LastPass on the website, a script that contained the user’s email and the encrypted RSA sharing key was loaded. This was due to a bug with our standard CSRF protection, which caused the script not to function properly.
The fix: The script can now only be loaded when supplying a valid CSRF token, reducing the risk that any 3rd-parties would be able to gain access to user data. We also removed the RSA sharing keys from the scripts generated output.
#3 Protecting One-Time Passwords (OTP)
The report: The OTP recovery functionality could be used maliciously to potentially gain access to a user account if the attacker had access to both the: (a) logged-in email account of the user; and (b) browser on which the user installed the LastPass extension and previously logged in to their account.
The fix: This is a by-design feature that allows users to recover their account in the event that they misplace their master password. Without this functionality, users would be unable to regain access to their account. If desired, users can disable this feature at any time in Extension Settings.
While the design still holds, we added an extra user-facing confirmation step during the recovery process. The extension triggers a confirmation asking if the user wants to allow the use of the local recovery OTP. If the user says yes, the extension provides it to the recovery page where the process can finish in the client’s browser. This confirmation is designed to add additional protection against silent scripted attacks.
#4 Preventing URL Spoofing
The report: Using the web browser built into the LastPass iOS app, one could create a link which redirects to a malicious website through an open redirect, but without updating the URL bar. This only applies to sites with open redirects. Although LastPass would not autofill login credentials in this case, a user might potentially be tricked or lured into manually entering their credentials, which would then be sent to the malicious site.
The fix: We now update the URL bar during a redirect, instead of only at the end of a page load. This means the website URL is available and updated so the user can clearly see if a malicious attempt is occurring by improper use of a redirect.
The LastPass extensions and mobile app have been updated with these fixes. Most users should be updated automatically, but you can always download the latest versions from our website.
We strive to make LastPass as secure as possible with the bug bounty program, and this level of scrutiny makes LastPass a better, stronger product. We are pleased to see high quality reports coming in from our security community, but also to work so closely with researchers to make the necessary fixes. This batch of reports has resulted in several key improvements to the LastPass security architecture, and performance improvements, too.
Finally, we want to express our gratitude to researchers Wladimir Palant and Ryan Pickern for their responsible disclosure, and for their time and effort working with us on seeing these improvements through.
Stay tuned for future reports
In the last five years since we launched our bug bounty program, our commitment to security has remained constant and we’ve increased efforts by creating dedicated teams that focus solely on security. As a part of that ongoing work, we are going to regularly share with you the most important bug bounty reports that our team investigated and fixed.
We’re planning on a quarterly cadence for sharing readouts on our bug bounty program. This allows us to not only highlight the important work the security community is doing but also maintain transparency with our userbase about how we’re improving LastPass over time. So please be sure to subscribe to the blog (on the right-side of the page) to keep up with these reports.
And if you yourself are a security researcher, we welcome you to report any findings through our BugCrowd profile.