LastPass, the password manager, has fixed a zero-day flaw in breakneck time—less than 24 hours after it was reported. The flaw would allow remote code execution and the ability to steal users’ passwords, thanks to a buggy script.
The issue was reported by Tavis Ormandy to Google’s Project Zero on Tuesday, and was quickly resolved, according to LastPass. That said, it’s a good example of why bug bounty programs and other code-review best practices
“As in this case, the best defense against such issues is multiple eyeballs on the code,” said Lee Munson, security researcher for Comparitech, via email. “The reason why remote code execution bugs keep on cropping up is the same one that pervades all areas of security, namely the human, otherwise known as the weakest link. Non-adherence to secure coding practices is one side of the coin, our fallibility the other. That’s why it is so essential that companies continually test their software, long before it goes into production. While there are never any guarantees, simple steps such as requiring someone not associated with a project to act as its code reviewer, as well as external testing, can help mitigate the risks here.”
The problem shouldn’t turn people off to password managers, according to Tod Beardsley, research director at Rapid7, particularly given that there is no indication that the issues reported by Google were ever exploited.
“The issues with LastPass, reported by Google's Project Zero, show that security software is just like any other reasonably complex software; all have bugs, and sometimes those bugs have security implications,” he said via email. “Password managers are still far, far preferable to human-generated, human-memorable passwords. The risk associated with password reuse is far, far greater than the risk associated with a zero-day vulnerability in a particular password manager.”
He also noted that the disclosure timeline is a bit out of the ordinary.
“It's a little puzzling why Google publicly disclosed this issue merely 37 hours after the initial private disclosure to LastPass,” he said. “The issue doesn't appear to be so grave as to warrant a fast-track to disclosure, and even if it was, I would generally expect at least a couple days' of grace period to allow for a more coordinated disclosure.”
Munson added, “The bigger risk, I would argue, comes from not using a password manager—namely that the user ends up replicating the same password across all the online accounts that they use.”
Ormandy and LastPass are not strangers; last July, he found a zero-day flaw (now fixed) in the software that could be exploited using a drive-by technique with a malicious website. If successful, the attacker gained the digital keys to the kingdom—all of the credentials that the user has stored for online services.