Password managers are great, at least on paper. Unfortunately, things can go wrong from time to time, as LastPass is currently finding out. After having survived one security scare a couple of weeks ago, LastPass is now in the middle of another one. And this one looks a whole lot trickier to fix.
Google security researcher Tavis Ormandy recently discovered a LastPass vulnerability. He promptly informed LastPass of the problem, and the company is already working on a fix. However, users are intentionally being kept in the dark for obvious reasons. So, should you be worried?
Google Zero Finds LastPass Wanting
On Saturday (March 25), Ormandy, who works for Google’s Project Zero, tweeted that he’d discovered a client-side vulnerability in the LastPass browser extension. He obviously didn’t divulge the details, instead notifying the company of the issue and giving LastPass the standard 90 days to fix it.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy
— Tavis Ormandy (@taviso) March 25, 2017
On Monday (March 27), LastPass published a blog post acknowledging the problem, revealing that “this attack is unique and highly sophisticated”. LastPass obviously isn’t revealing the nature of the problem, but promises that it’s now “actively addressing the vulnerability”.
In the meantime, LastPass suggests users launch websites directly from the LastPass vault, enable two-factor authentication anywhere and everywhere, and be extra vigilant against phishing attacks. This is all good advice, but there is always the option to stop using LastPass altogether.
If you’re using LastPass you should, at the very least, change the way you’re using it in the ways LastPass itself recommends. And, given the nature of this vulnerability, you may want to stop using LastPass altogether until after the fix is in. There are, after all, plenty of LastPass alternatives.
LastPass Scares Easily
As previously mentioned, this is the second security scare in as many weeks. Which should worry the average LastPass user. The previous vulnerabilities were quickly patched, but, according to Ormandy, this one is “a major architectural problem”. Which means it will take rather longer to fix.
Do you use LastPass? Are you worried about this vulnerability? Are you going to follow the advice of LastPass? Or stop using the browser extension altogether? How do you feel about password managers in general? Please let us know in the comments below!