Monday March 27, 2017

LastPass Working on Yet Another Security Fix

It seems like the last couple of weeks have been pretty rough for LastPass. Tavis Ormandy at Googles Project Zero team apparently had a shower epiphany, and found yet another vulnerability in LastPass resulting in arbitrary code execution. That's quite a lot accomplished before putting your pants on on a Saturday morning.

This is why I have some discomfort when it comes to password managers. If you get phished or otherwise exploited on a site by site basis, you lose one password. If your password manager gets compromised you lose them all. Because of this, I personally keep all my passwords in my noggin. It's not easy though, and I often forget and have to reset them.

News Image

To expand on the issue, LastPass also put up a post today, in which they made it clear that a fix is being worked on. The client side vulnerability discovered over the weekend allows for an attack that is "unique and highly sophisticated". As such, the firm declined to disclose anything specific about either the vulnerability or the patch, until everything is said and done. The reasoning given is that doing so could "reveal anything to less sophisticated but nefarious parties", which is of course not the intention.