LastPass Bugcrowd Update – 1H 2019

The LastPass bug bounty program is one of the many ways we put LastPass’ security to the test. We crowdsource cyber security knowledge from some of the best researchers in the security industry to help build a better, stronger solution for our customers. 

Today, we wanted to share a few recent product improvements that are now live because of the bug bounty program in the first half of 2019. 

#1 Potential Manipulation of Server-side Code 

The report: The Bug bounty report submitted by Wladimir Palant described a hypothetical scenario that if LastPass servers were to be compromised, and manipulation of server-side code was possible and had been conducted, such code manipulation could permit potential abuse of the website and a user’s vault extension without a user’s knowledge.  

The fix: Following this report, we took additional steps to ensure that code served from the server cannot access secrets on the client side without the knowledge of the user. LastPass protects infrastructure and customer data with appropriate security controls and practices and maintains regularly-upgraded systems. Additionally, LastPass is regularly audited both internally and via third-party assessments evaluating internal controls that protect the security, confidentiality, integrity, availability and privacy of the information with which our customers entrust us. LastPass maintains SOC2 Type II and SOC 3 reports, as well as a TRUSTe Verified Privacy certification.  

#2 Password Managers and Memory 

The report: A report was submitted which indicated that a potential vulnerability found that certain secrets may able to be found in the system memory (RAM)  in a locked state and applied specifically to LastPass for Applications, our legacy, local Windows Application (which accounts for less than 0.2% of all LastPass usage). In order to read the memory of an application, an attacker or malicious actor would need to first have local access and also administrator-level privileges to the compromised computer. Separately, the report raised awareness to a limitation of protecting secrets in memory against an attacker with administrative privileges. Generally speaking, and also in line with the opinion of other password managers, once an attacker has local access and administrator-level privileges, the operating system is compromised, and an attacker will end up having access to anything on the device, irrespective of use of LastPass or any other password manager. This is an independent issue from whether a password manager is used, for example, a malicious actor can install a keylogger to read passwords typed or get access to email and reset accounts if they have effectively compromised a computer or user’s software. 

The fix: We have already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report. To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind. However, while LastPass has taken certain steps to help mitigate potential harm, observations of this nature highlight the need for users to ensure appropriate safeguarding of their own systems and software in order to prevent malicious actors or attackers client-side. 

#3 Account Reset Process 

The report: This report relates to a scenario in the account reset process. If a LastPass user were to reset their account, the instance would reset the user’s vault but could preserve their membership in any Shared Folders. In their next login, the user could potentially inherit Shared Folder access to the user above them in the Admin’s Shared Folder permissions list.   

The fix: The LastPass engineering teams worked on multiple fixes to ensure that users are fully removed from any Shared Folders through account reset process. This report also helped inform the business decision to prevent users from receiving their original Shared Folde rs after resetting their account. Instead, the Admin with access will need to reassign the Shared Folder to the user. 

Committed to Security 

Security is always our highest priority here at LastPass. Our Bug Bounty program puts LastPass’ security to the test so we can build a better, stronger product for our customers. We will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible. 

If you are a security researcher, we welcome you to report any findings through our Bugcrowd profile. You can also view our most recent Bugcrowd update here