LastPass is what’s considered a single sign-on service, or SSO. It compiles all of your passwords into a single vault that can auto-fill forms at any time. It’s convenient, saves time, and is allegedly more secure than the alternative — typically using the same password for everything.
Security researchers have determined, however, that LastPass is far from perfect. It has been found to contain the types of holes that any amateur hacker could have a field day with. Given the proper tools, user data could have easily gotten into the wrong hands, revealing myriad private login credentials and leaving them vulnerable to a host of dangerous exploits.
This news comes by way of Martin Vigo, self-proclaimed “security geek,” who recently shared his findings at the Black Hat Europe conference. Speaking alongside Alberto Garcia Illera, Vigo provided vivid instructions for getting around LastPass’ security in a demonstration of just how easy it is to get through.
The two sales force security engineers outlined several holes in the service’s security protocols, both from the outside and from within using the client or server. Locally, the experts were able to get past the two-factor authentication in LastPass using a locally stored plain text token. By doing this, Vigo and Illera were able to trick the password recovery feature, in turn managing to exploit session cookies, though other procedures ensued.
For obvious ethical reasons, all of these discoveries were immediately reported to LastPass, and the firm made some quick modifications to its security protocols. Unfortunately, as David Bison pointed out on security consultant Graham Cluley’s blog, this problem is likely not exclusive to LastPass. Rather, numerous other SSO clients probably experience the same central flaws.
On a brighter note, if you’re currently using an SSO client, it’s probably still safer than not using one at all and, say, making all of your passwords the same, easy-to-guess word. In a Tom’s Guide article, journalist Marshall Honorof writes that cracking the LastPass code would actually be quite the challenge for many cyber thieves, unless they’re able to take control of the user’s server or the device itself. Because of this, most hackers would opt for other means of password theft. Nevertheless, it’s still a concerning matter considering LastPass is used by thousands of organizations globally.
Of course, as we reported on earlier this year, LastPass was the victim of a massive data breach back in June. Perhaps even more distressing, the SSO service was purchased just last month by LogMeIn, a major SaaS (software as a service company) that underwent a data breach of its own last January.
This is the second consecutive year in which this same pair of engineers has discovered some loose strings in the LastPass code, making it painfully easy to get past its ostensibly tightly concealed vault doors. We can only hope these findings will motivate LogMeIn to improve its situation rather than making LastPass even more susceptible to threats.