Vulnerabilities Discovered in LastPass App Could Compromise Passwords

This summer, PC security experts warned of potential weak points in identity management services. The particular occasion was a new safety issue with LastPass, discovered by a Google Project Zero researcher raising the memory of a previous bug detected in the same password manager about a year earlier. Unfortunately , the general question of how safe such applications that offer to store sensitive personal data still stands.

Researcher Tavis Ormandy from Google Project Zero managed to hack LastPass in July this year. The bug that he reported has already been fixed by the LastPass team where it affected only the Mozilla Firefox add-on. The problem was described on the LastPass blog as a "message hijacking bug" that could execute certain actions in the background. Apparently, it turned out to be a severe issue that could completely compromise users' data, yet it required luring the user into visiting a malicious website.

A similar issue was discovered last year by Mathias Karlsson, who works for the web security service Detectify. Karlsson decided to check the reliability of LastPass and searched for potential vulnerabilities within the application's build. While simulating an automated hacker attack, the researcher found a severe problem that could lead to user passwords leaking out and coming into the hands of black hat hackers.

LastPass is added as an extension to browsers that stores the passwords for all user accounts and allows access to them through one single master password. Dangers came from the URL parsing code that LastPass employs, in addition to its auto-fill function. LastPass adds an HTML code to every URL the user visits, and then recognizes the domain and then fills automatically the users' details into the login form. LastPass is convenient for users, however, the cost of potentially compromising your password is quite risky.

According to Karlsson, the parsing code, "var fixedURL = URL.match(/^(.*:\/\/[^\/]+\/.*)@/);
fixedURL && (url = url.substring(0, fixedURL[1].length) + url.substring(fixedURL[1].length).replace(/@/g, "%40"))," that LastPass uses to find out which domain the browser is currently loading, had a severe bug. It allowed hackers to design URLs that would trick the system and make it spew out users' credentials absolutely unnoticed for both users and LastPass' security team. In a URL that looks like, "attacker-site.com/@twitter.com/@script.php," the LastPass extension would recognize only the last occurrence of "@." In this case, it would think the user is on the domain twitter.com, and respectively fill the user's credentials into the login form. Then, attackers could extract the data from the login fields by running a JavaScript code on the site.

Even though the initial security issue was quickly remedied by the LastPass team, caution is still required from PC users who use the app. However, hackers would need to use social engineering to make the user go to their website, thus not clicking on questionable links could save your data. Furthermore, disabling the auto-fill functionality would have prevented the dangers arising from the bug in LastPass that Mathias Karlsson discovered. There is also the multi-factor authentication option, which requires another verification step through a different device before it allows access to the account.

While password managing services aren't 100% safe, they still seem to be the better option compared to the other popular method of dealing with passwords, namely using just one password for all accounts. Of course, that holds true only if users are aware of the various kinds of phishing attacks, and if they utilize unique and strong passwords for each of their online accounts. Password strength is measured in bits, whereby PC security experts claim that an 80-bit password that has 12 different symbols, numbers, uppercase and lowercase letters, gives a substantial and acceptable level of protection.