LastPass: Security done wrong

Disclaimer: I am the author of Easy Passwords which is also a password manager and could be considered LastPass competitor in the widest sense.

Six month ago I wrote a detailed analysis of LastPass security architecture. In particular, I wrote:

So much for the general architecture, it has its weak spots but all in all it is pretty solid and your passwords are unlikely to be compromised at this level. However, as described in my blog post the browser integration turned out to be a massive weakness. The LastPass extension on your computer works with decrypted data, so it needs to be extra careful – and at the moment it isn’t.

I went on to point out Auto Fill functionality and internal messaging as the main weak spots of the Last Pass browser extensions. And what do I read in the news today? Google reporter Tavis Ormandy found two security vulnerabilities in LastPass. In which areas? Well, Auto Fill and internal messaging of course.

Now I could congratulate myself on a successful analysis of course, but predicting these reports wasn’t really a big feat. See, I checked out LastPass after reports about two security vulnerabilities have been published last August. I looked into what those vulnerabilities were and how they have been resolved. And I promptly found that the issues haven’t been resolved completely. Six months later Tavis Ormandy appears to have done the same and… well, you can still find ways to exploit the same old issues.

Altogether it looks like LastPass is a lot better at PR than they are at security. Yes, that’s harsh but this is what I’ve seen so far. In particular, security vulnerabilities have been addressed punctually, only the exact scenario reported has been tested by the developers. This time LastPass has driven it to an extreme by fixing a critical bug in their Chrome extension and announcing the fix even though the exact same exploit was working against their Firefox extension as well. But also with the bugs I reported previously nobody seemed to have an interest in going through the code base looking for other instances of the same issue, let alone taking obvious measures to harden the code against similar attacks or reconsidering the overall approach.

In addition to that, LastPass is very insistently downplaying the impact of the vulnerabilities. For example, an issue where I couldn’t provide an exploit (hey, I’m not even a user of the product, I don’t know it too well) was deemed not a vulnerability — Tavis Ormandy has now demonstrated that it is exploitable after all. On other occasions LastPass only admitted what the proof of concept exploit was doing, e.g. removing passwords in case of the vulnerability published by Tavis Ormandy in August last year. The LastPass developers should have known however that the messaging interface he hijacked could do far more than that.

This might be the reason why this time Tavis Ormandy shows how you can run arbitrary applications through LastPass, it’s hard to deny that the issue is really, really bad. So this time their announcement says:

  • Our investigation to date has not indicated that any sensitive user data was lost or compromised
  • No site credential passwords need to be changed

Sure it didn’t — because compromising clients this way doesn’t require access to LastPass servers. So even if black hats found this vulnerability years ago and are abusing it on a large scale, LastPass wouldn’t be likely to know. This should really have been:

We messed up and we don’t know whether your passwords are compromised as a result. You should probably change them now, just to be sure.


  • Sunny

    Wladimir thanks for the analysis and the follow up. Questions for you:

    1) Have you noticed a pwdmgr that’s better because I’d like to consider switching to it.

    2) If you have not noticed one better I’m willing to propose a secure design and built it. Would you be open to commenting on a proposal?

    There have too many problems with LP over the years, I tried a couple times to offer suggestions to help them but no response. I’m not hot to make my own product and would gladly pay someone else for excellence in usability and security. But if it’s not been done someone has to do it.

    Best regards -

    Wladimir Palant

    I’m not a passwords manager expert. Personally, I like the concept of generating per-site passwords but most tools doing that have security and usability issues – which is why I’ve created my own with Easy Passwords. But that’s not everybody’s thing.

    If you want something more comparable to LastPass then 1Password is the obvious alternative, they have a much better security track record. Tavis Ormandy supposedly has something in the pipeline for them as well, we’ll see what it turns out to be. Other than that people often recommend KeePass and KeePassX which are free and open source – no browser integration here which is bad for usability but good for security.

  • Tamás Gulácsi

    I’m using KeePassX synchronized with Dropbox between computers, laptops and phone, but not as easy and user-friendly as LastPass.

    So I’m also in wanting a secure syncing free alternative!

  • denemu denemu

    @Tamás Gulácsi,

    You can try Sticky Password. Very similar to lastpass and hopefully doesn’t have the security problems similar to the ones mentioned in the article.

    It has also a one year premium giveaway for a few more days if you download it through sharewareonsale. I wouldn’t miss it if I were looking for an alternative to lastpass.

  • I Hate Everyone

    Oh, fantastic. Now what? I have been using LastGasp for years, and was currently migrating my spouse and children to it. No idea what the hell I’m going to do now.

    I’m not interested in KeepAss. Far too clunky, even for me. But getting my family members to use it as well? And how about mobile devices? Hilarious.

    I guess the answer is “Somehow, remember hundreds of separate strong passwords.”

    Good fucking stuff.

  • Stu

    KeePass and SpiderOak sync rock a secure pipeline for me. KP with triggers that sync a local DB with the ‘shared/synced’ DB (two diff files on each local system). Yes – it’s not for novices, but for the techies, I now love this setup!

  • Joe Greten

    Enpass is what I’m using, it’s the best really….

  • Casey

    To correct the misinformation above, KeePass and KeePassX have browser integrations for Chrome and FF. Check out PassIFox and ChromeIPass.

    Wladimir Palant

    Why misinformation? These are separate products, presumably not by the same developer. Looking at PassIFox, I don’t see any security issues – but quite a few technical ones, this code appears to be very old. As to ChromeIPass, I’d advise against using that one.

  • Matt Wien

    Great write up Wladimir, I came across your blog as I was researching more info about the LastPass vulnerability. Full disclaimer, I work for competing password manager Dashlane and wanted to learn more about the competitions mishap. I found your breakdown very approachable and something I can share with less-technical prospects currently evaluating password managers.

    For anyone looking for a new PWM: Dashlane boasts the only patented security architecture in the industry paired with an award winning UX. Although I’m biased, here’s a promo code for you and your readers to try Dashlane Premium for themselves, 6 months free: U334N269

    Keep up the good work, I’ll be following you regularly from this point forward!