LastPass BugCrowd Update – 2H 2018

A well-run bug bounty program allows us to crowdsource cyber security knowledge from some of the best in the field and is just one of the many ways we put LastPass’ security measures to the test. We believe incentivizing top researchers benefits the product, and, ultimately, our customers.   

Here are a few recent product improvements that are now live, as a result of the bug bounty program in the second half of 2018.   

The Security Reports  

#1 Requiring explicit user approval before filling unknown apps 

The report: As a result of working with researchers from the University of Genoa, Italy, and EURECOM, we were able to find a malicious Android application that was able to trick LastPass into auto-filling the username and password for other legitimate Android apps. It was also discovered that malicious apps with package name beginning with the reverse of the target domain name, such as com.facebook, would autofill credentials as well. This makes phishing attacks on mobile easier and also harder to detect.

The fix: While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack detailed in this report. Our app now requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted.  

#2 Using a reliable source to determine the URL for websiteon iOS 

The report: A malicious web site opened in iOS Safari could send a URL different from its actual URL when a user tries fills the login form using the LastPass mobile app. This could trick users to enter credentials of a different web site.  

The fix:  The LastPass app now determines the URL using a data source that cannot be manipulated by the website. 

#3 Authentication bypass on Android 

The report:  In certain instances, users of the LastPass Android mobile app were able to bypass the fingerprint authentication and gain access to their account. This scenario was only applicable if the user locked the LastPass app; if the user was logged out properly, the bypass would not occur. The bypass presented risk if a malicious third party were to gain physical control over a user’s mobile device.

The fix: The LastPass engineering teams changed how the fingerprint authentication prompted itself to ensure that the authentication window appears immediately when the app is opened. This prevents the user from accessing the account before re-verifying through fingerprint. 

Making LastPass Stronger 

We strive to make LastPass as secure as possible with the help of this bug bounty program —this level of scrutiny makes LastPass a better, stronger product. This batch of reports has resulted in several key improvements to the LastPass security architecture, and performance improvements, too. We want to express our gratitude to the researchers for their responsible disclosure, and for their time and effort working with us on seeing these improvements through.  

As we said last time, we are committed to regularly sharing the most important bug bounty reports that our team investigated and fixed with our users. So, if you haven’t already, please subscribe to the blog to keep up with these reports. And if you are a security researcher, we welcome you to report any findings through our BugCrowd profile.

4 Comments

  • Ken Lutz says:

    I am unable to get lasspass to enterlogin info for charles Schwab site. his site used to work.

    • Amber Steel says:

      Try deleting and re-saving the login, they may have updated something on their login page. If problems continue please contact our support team.

  • Paul Flynn says:

    LP opens automatically whenever I open Chrome. I never have to enter my master password. Why?

    • Amber Steel says:

      By default LastPass stays signed in, for convenience, but you can change this in your LastPass Icon > Preferences > check the automatically logout option.