LastPass scrambles to fix another major flaw – once again spotted by Google's bugfinders
Ormandy sets snowflakes off over disclosure
For most of us, Saturday morning is a time for a lie in, a leisurely brunch, or maybe taking the kids to the park. But for some it's bug-hunting time.
Tavis Ormandy, a member of Google's crack Project Zero security team, was in the shower and thinking about LastPass – after finding a number of flaws in the password manager over the past week. Then he had an epiphany and "realized how to get codeexec in LastPass 4.1.43," he said, and filed a bug report.
OK, exploit working and full report sent to LastPass. Now time to put some pants on. 👖
— Tavis Ormandy (@taviso) March 25, 2017
The timing couldn't have been worse for LastPass engineers. They spent last weekend sorting out Tavis' other bug finds, and now it looked like they'd be back in the office again this weekend. LastPass has now confirmed that the new find is an issue and they are working on it.
"This attack is unique and highly sophisticated. We don't want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete," the firm said.
"We want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market."
That last statement is a kicker, because some on Twitter got very upset at Ormandy for disclosing that there was an issue with LastPass. It seems some people prefer to think that ignorance is bliss.
@taviso Ethicist have built a documented process >20 yrs for this & it doesn't start with a tweet. All that does is cause fear, uncertainty and +ego
— stits (@stits) March 25, 2017
It seems a fair few people don't understand the rules of responsible disclosure. Researchers are perfectly free to go public by saying there is a flaw in a particular piece of code, so long as they don't say exactly what it is or how to exploit it before a patch is available.
There are some who suggest researchers shouldn't even highlight that a flaw exists. That ends up being counterproductive, since it reduces the incentive for manufacturers to fix their code. Companies might be fine with that, but it can put users at risk.
Google and others have 90-day disclosure rules for just this reason – the thinking is that if a company can't be bothered to sort out an issue in that time then they aren't really trying – although almost every researcher will give a manufacturer more time if needed. It seems some people have forgotten this. ®
PSA: Vendors wrote the buggy software. Security researchers who discuss vulnerabilities are not the enemy. Don't be a #fakenews sheep. pic.twitter.com/89Ko4w03lx
— Katie Moussouris (@k8em0) March 27, 2017