Researchers recently reported finding two separate and serious vulnerabilities in the market-leading browser password manager LastPass. Although widely seen as a consumer product, the platform is also offered to businesses in the form of LastPass Enterprise.
The first was reported by Mathias Karlsson of Detectify Labs relates to the software's autofill feature which he discovered could be fooled into thinking it was interacting with a site when it was in fact somewhere else. The flaw was reported and subsequently fixed a year ago which earned Karlsson a $1,000 bounty.
The second, discovered only this week by a Google researcher Tavis Ormandy, who described it as a "complete remote compromise" in a fairly detailed submission.
There is nothing unusual in any of this - security problems are found in a wide range of software these days - although as an online password database there was understandable anxiety that two could apparently materialise in a single week. In both cases, the company jumped on the issues seems to have done its best to fix them.
Complicating things slightly is the fact that after years of independent development, the potentially more serious of the latest LastPass flaws (that disclosed by Ormandy) emerged in version 4.x of the password manager released in the months after the firm was bought by LogMeIn in October 2015.
LastPass: who is affected and is there a patch?
The immediate question is how users update their LastPass plug-ins to reflect fixes that might have been released by the firm.
- The Karlsson flaw was fixed over a year ago in version 3.x and would not have been an issue for anyone using one of the various LastPass multi-factor options which are available to all Premium ($12 per annum) users. This issue is now closed.
- The Ormandy flaw affects only Mozilla Firefox running version 4.x, first released as a beta in January 2016, and fixed last week in v4.1.21a, an alpha release.
This brings us to an interesting aspect of LastPass - the plug-in itself is available in two separate versions, the original version 3.x and the more recent and overhauled version 4.x.
Single users who download LastPass from the LastPass website are served v4.1.20 as a universal Windows installer if they are running Mozilla, Chrome, Edge and Safari plug-ins. But Mozilla users who encounter it first in the Add-on Mozilla Store (AMO) are served version 3.3.1 by default with the option to download 4.x as a beta.
This division has to do with the way to AMO store treats stable releases v betas, with priority being given to stable releases even if they are months old but it means that LastPass sees v4.x as the best version to use while Mozilla, for now, recommends v3.x.
Sign up for Computerworld eNewsletters.