Password managers are tools that help you keep track of the numerous accounts that a modern digital lifestyle needs.
These days, it’s not just passwords for your mainstream online accounts such as webmail, Facebook and Twitter.
Even activities that you probably don’t associate with online life – renting an apartment, for example, registering to pay tax, or applying for a visa – often end up at a web page that requires you to create an account before you can go any further.
Choosing and remembering secure passwords is hard enough when you have plenty of time to think about it.
But the password you choose for your visa application needs to be created on the spot, even though it’s more critical than the one you have for Facebook. (Try applying for a visa with a made-up name and a fake birthday like you did for your various online personas!)
Password managers can therefore be a great help:
- They can come up in an instant with as-good-as-unguessable passwords like cAN;#F0vppVza2TB.
- They can remember unguessable passwords as easily as you can remember 123456.
- They can automatically type in complex passwords so you don’t make mistakes and lock yourself out.
- They can tie passwords to specific web pages so you don’t type them into imposter phishing sites by mistake.
- They can store your passwords in the cloud in case your laptop or phone is lost or stolen.
Those are the pros; most of us will can quickly come up with two cons:
- You will need a really good password for the password manager itself. The master password is basically a skeleton key for all your accounts.
- If you sync your passwords to the cloud, you’d better hope the cloud service doesn’t get breached.
But there’s a third problem, and it’s one that applies to any app that interacts with the outside world.
And most password managers do just that, because they usually work with your browser, and the content of various web pages, in order to decide which passwords are relevant to what sites.
In other words, your password manager is almost certainly at risk of all the usual vulnerabilities that apply to more traditional online software programs such as web browsers, Flash players and messaging apps.
Those range from DoS (denial-of-service) and information disclosure (a worrying sort of hole for a password manager to have) to EoP (elevation of privilege), and the Big Daddy of security bugs, RCE (remote code execution).
RCE means a crook can send in external content to trick your app into running unauthorised software without so much as an “Are you sure?”
Unfortunately, that’s just the sort of hole that researcher Tavis Ormandy of Google’s Project Zero security team says he’s found in the popular and widely-used password manager LastPass.
Note that an RCE bug in LastPass means that crooks who know how to exploit the vulnerability almost certainly also have an information disclosure hole at their disposal.
That’s because an RCE means that the crooks can almost certainly modify the behaviour of LastPass itself in real time, and trick it into revealing its own secrets.
But it’s worse than that, because most RCE holes also allow much more general-purpose attacks, such as implanting malware to subvert the security of other parts of the system, or installing ransomware, or stealing data directly from your hard disk that would otherwise be protected by a password that’s isn’t in LassPass.
What to do?
Should you stop using LastPass, either temporarily or permanently?
That’s hard to answer right now, but as far as we can tell, this isn’t actually a “zero-day” hole, no matter that it sounds like one.
A zero-day is where the crooks already known how to exploit a hole before a fix is available. (In other words, there were zero days during which even a well-informed sysadmin could have patched against the bug.)
In this case, Google is working with LastPass to come up with a fix, and the details of the bug have not yet been made public – what’s known, for obvious reasons, as “responsible disclosure.”
So, if you’re minded to give up LastPass on that basis alone, you probably also ought to give up Linux, Windows, OS X, Android and iOS, too.
After all, almost every security update for those platforms includes fixes for at least one (and sometimes for many) RCE holes…
…many of which were found in just the same way, by outside security researchers, and disclosed similarly.
If you are using LastPass, however, keep your eyes out for the next patch, and apply it promptly.
This piece first appeared on the Naked Security Blog by Paul Ducklin.
