The LastPass Vulnerability and the Future of Password Security

The LastPass Vulnerability and the Future of Password Security

Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

Facebook's Mark Zuckerberg, Google's Sundar Pichai, Twitter's Jack Dorsey, what do these three high-flying CEOs have in common? Their social media accounts were all hijacked recently due to bad password habits. To be fair, these breaches occurred indirectly as a result of triggering events—for example, a massive Linkedin data breach led to Zuckerberg's Twitter account getting hijacked, but one thing is for certain: the executive leadership of the world's leading tech companies are as prone to password management mishaps as the rest of us. And—as the latest LastPass vulnerability serves to illustrate—password management solutions may no longer be a safe alternative for memorizing passwords.

The latest LastPass vulnerability was reported on July 26th, 2016 by Google Security Team researcher Tavis Ormandy, perhaps most famously known for his discovery of vulnerabilities in Sophos, Symantec, and FireEye products. Ormandy revealed that a message-hijacking bug impacting LastPass' Firefox addon could allow remote attackers to take over users' LastPass accounts and gain access to their entire password database. Fortunately, users must visit a specially-designed website with Firefox and the LastPass browser extension installed first in order to be exploited.

The issue has since been resolved: Firefox users on LastPass 4.0. have automatically been pushed an update with the fix in version 4.1.21a. Alternatively, LastPass has provided an update link for manually applying the fix.

Inherently Flawed and Targeted

Both social media websites and password management applications are treasure troves of sensitive data, ripe for the taking—as such, they make for exceptional cyber attack targets. This was painfully evident for the world's most popular business social network: LinkedIn's 167 million lost/stolen account credentials include powerful business leaders, executives, corporate strategists, and more. When it comes to password management apps, vulnerabilities also abound: a previous LastPass vulnerability discovered over a year ago by security researcher Mathias Karlsson also allows remote attackers to steal LastPass user passwords by visiting a nefarious webpage. In fact, U.C. Berkeley researchers discovered security flaws in five of the leading password management solutions a few years ago, namely LastPass, RoboForm, My1login, PasswordBox (now Intel Security), and NeedMyPassword. Four of these possessed exploitable vulnerabilities for stealing user credentials. The researchers summarized their findings in the report:

"The root causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model... Our study suggests that it remains to be a challenge for the password managers to be secure."

Bolstering Security When Passwords Aren't Enough 

Security experts recommend two-factor authentication (2FA) for preventing both mishaps like the LinkedIn data breach, as well as vulnerabilities like LastPass' latest flaw from resulting in further data theft and hijacking. But even 2FA is not foolproof: security researchers in January were able to intercept LastPass 2FA codes with a special tool called LostPass for harvesting LastPass password vaults. As it stands, LastPass users with 2FA configured are required to log into their registered email accounts to approve the sign-in device.

At the end of the day, 2FA and strong passwords are both critical to strong digital security. Of course, 2FA does not do away with hard-to-guess passwords, and unfortunately—the jury is still out on password manager applications. But when it comes to vulnerabilities vis-à-vis today's cyber threat landscape, the directive is clear: stay on top of your patches and updates or risk being compromised. To this end, UpGuard's resilience platform automatically scans your whole environment for vulnerabilities like the recently discovered LastPass software flaw, allowing you to identify and patch infrastructure security flaws before cyber attackers do. 

Free eBook

The Password Security Checklist

Learn about how to create a secure password with this in-depth eBook.
UpGuard logo in white
The Password Security Checklist
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape