Skip to main content

LastPass, used by millions, may be vulnerable to shockingly simple exploits

LastPass was vulnerable, a white hat hacker at Google’s Project Zero claimed Tuesday. A patch for the problem was out by Thursday, Engadget is reporting.
Recommended Videos

Tavis Ormandy, a researcher affiliated with Google’s security research team Project Zero, sarcastically asked if anyone actually uses LastPass on Twitter yesterday, adding that he found a bunch of fundamental security problems with little more than a quick glance, Betanews is reporting. LastPass is the most popular password storage service on the planet, with millions of users.

Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.

— Tavis Ormandy (@taviso) July 26, 2016

Ormandy has sent a report of the security problems to LastPass, who have patched up the issues. The issue, LastPass says, is that a malicious website could access the Firefox extension without the user even knowing, and do things like delete passwords from the service. The issue is fully solved now.

Here are the details of the vulnerability I reported https://t.co/2fWFyBFzUm https://t.co/3HaEQRJEqa

— Tavis Ormandy (@taviso) July 28, 2016

Google’s Project Zero team routinely researches security flaws online, both in Google services and those created by other companies. Flaws are reported to the appropriate companies, who have 60 days to resolve the issue. At that point, Project Zero makes the flaws public. The idea is to encourage companies to fix the issues, and in this case that seems to be working: LastPass told Ormandy that a fix is on the way.

So we won’t know what problems Ormandy found for a while. But if you want to read something scary right now, researcher Mathias Karlsson also found a terrifying LastPass flaw malicious sites could use to grab all your passwords in bulk, if users leave the automatic login feature enabled.

“First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials,” Karlsson wrote in a blog post outlining the issue. “However, the URL parsing code was flawed (bug in URL parsing? shocker!).”

LastPass was quick to respond to the problem, and even paid Karlsson a $1,000 bounty for finding and reporting the issue.

Karlsson, for his part, thinks password managers are worth using, despite flaws like this.

“They are still much better than the alternative (password reuse),” Karlsson wrote.

Having said that, disabling autofill might be a good idea, on LastPass and similar services.

Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
LastPass is scaling back its free tier. Find out if you need to pay
LastPass

LastPass currently offers a free tier that lets a single user access its password manager service on all their mobile devices and computers. But that’s about to change.

Starting March 16, the company will limit its free tier to only one device type, either mobile or computer. So if you select to keep the free tier for mobile, you’ll be asked to pay a fee to continue using the service on computers, and vice versa.

Read more
Leaving LastPass? Here’s how to take all your passwords with you
LastPass

If you, like many of us, have been happily using LastPass's excellent free tier for the last few years, you're probably dismayed that LastPass is moving to change the way its free access works. From March 16, you'll only be able to sync your LastPass database between mobile devices or computers -- but not both. So if you want to keep accessing the same passwords on your phone and laptop, you'll have to pay up and join LastPass's premium subscription for $3 a month.

Of course, not everyone is wild to pay a subscription fee -- or has the free cash to do so. If that's you, you're probably looking for a password manager to replace LastPass. But you won't want to leave all your collected passwords and logins behind. Thankfully, you can quickly and easily export your LastPass passwords and login information and import them into your new password manager of choice. So go check out our list of the best password managers, then dive into our guide on how to leave LastPass and take your passwords with you.
Export your LastPass database
Now that you know you're moving from LastPass, the first step is to make sure you take everything with you. Thankfully, exporting your database from LastPass is simple. Unfortunately, there's no way to export your passwords from the mobile app, so you'll have to use a PC or Mac to complete this action.

Read more
Spotify vs. Pandora: which streaming service should you choose?
spotify vs pandora on iphone

Let's settle a musical debate: which music streaming platform should you use: Spotify or Pandora?

Both services have their unique strengths and weaknesses. Spotify boasts a more extensive music catalog, robust social features for sharing and discovering music with friends, and a more polished user experience across devices.

Read more