Skip to main content

Despite security revisions, the secrecy of your passwords may still be at risk with LastPass

Heartbleed LastPass
LastPass is what’s considered a single sign-on service, or SSO. It compiles all of your passwords into a single vault that can auto-fill forms at any time. It’s convenient, saves time, and is allegedly more secure than the alternative — typically using the same password for everything.

Security researchers have determined, however, that LastPass is far from perfect. It has been found to contain the types of holes that any amateur hacker could have a field day with. Given the proper tools, user data could have easily gotten into the wrong hands, revealing myriad private login credentials and leaving them vulnerable to a host of dangerous exploits.

This news comes by way of Martin Vigo, self-proclaimed “security geek,” who recently shared his findings at the Black Hat Europe conference. Speaking alongside Alberto Garcia Illera, Vigo provided vivid instructions for getting around LastPass’ security in a demonstration of just how easy it is to get through.

The two sales force security engineers outlined several holes in the service’s security protocols, both from the outside and from within using the client or server. Locally, the experts were able to get past the two-factor authentication in LastPass using a locally stored plain text token. By doing this, Vigo and Illera were able to trick the password recovery feature, in turn managing to exploit session cookies, though other procedures ensued.

Most worrying for loyal LastPass devotees, however, is that by installing a few lines of JavaScript code, cybercriminals could theoretically rob users of their usernames and passwords.

For obvious ethical reasons, all of these discoveries were immediately reported to LastPass, and the firm made some quick modifications to its security protocols. Unfortunately, as David Bison pointed out on security consultant Graham Cluley’s blog, this problem is likely not exclusive to LastPass. Rather, numerous other SSO clients probably experience the same central flaws.

On a brighter note, if you’re currently using an SSO client, it’s probably still safer than not using one at all and, say, making all of your passwords the same, easy-to-guess word. In a Tom’s Guide article, journalist Marshall Honorof writes that cracking the LastPass code would actually be quite the challenge for many cyber thieves, unless they’re able to take control of the user’s server or the device itself. Because of this, most hackers would opt for other means of password theft. Nevertheless, it’s still a concerning matter considering LastPass is used by thousands of organizations globally.

Of course, as we reported on earlier this year, LastPass was the victim of a massive data breach back in June. Perhaps even more distressing, the SSO service was purchased just last month by LogMeIn, a major SaaS (software as a service company) that underwent a data breach of its own last January.

This is the second consecutive year in which this same pair of engineers has discovered some loose strings in the LastPass code, making it painfully easy to get past its ostensibly tightly concealed vault doors. We can only hope these findings will motivate LogMeIn to improve its situation rather than making LastPass even more susceptible to threats.

Editors' Recommendations

Gabe Carey
Former Digital Trends Contributor
A freelancer for Digital Trends, Gabe Carey has been covering the intersection of video games and technology since he was 16…
Latest bugs in LastPass allowed attackers to steal passwords
A hand on a laptop in a dark surrounding.

Password manager LastPass is patching a number of critical vulnerabilities in its software that left users’ passwords potentially leaking.

No software is ever totally safe and while password managers can offer a degree of security and convenience, they are not impervious as these security flaws demonstrate.

Read more
1Password bets $100,000 that security experts can't break into its systems
1password bug bounty 100k teamspresskitadminpanel

AgileBits, the developer behind 1Password, just upped the ante for bug hunters, putting up $100,000 for anyone who can break into a 1Password vault and obtain a plain text file full of “bad poetry.”

Previously, the “capture the flag” bug bounty was a mere $25,000, but in order to push security researchers to find vulnerabilities in the 1Password platform -- and to demonstrate its effectiveness -- AgileBits raised the bounty fourfold.

Read more
Password manager Dashlane now integrates with Intel SGX for hardware security
dashlane intel sgx 4  security dashboard

Password manager Dashlane has announced a new partnership with Intel that will see Dashlane use Intel’s SGX for added hardware-based security.

According to the company, the collaboration allows users to “seal” their data to their devices to avoid tampering.

Read more