[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Lastpass Security Issue

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Lastpass Security Issue
From: Ryan Sears <rdsears@xxxxxxx>
Date: Thu, 5 May 2011 06:39:08 -0400 (EDT)

Hey all,

Early this morning the folks over at LastPass decided to issue a warning about
a potential security issue based on the fact that they detected some anomalies
in their logs.

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Basically the post outlines the fact that even though they've investigated
everything they can think of, they still noticed data potentially being
exfiltrated from one of their DBs, as more information came out then was going
in. Because of the fact they can't account for the traffic from any legitimate
source, they're being paranoid and assuming the worst (that someone found a SQL
injection presumably).

Even though their passwords were all salted, they're still forcing everyone to
change their master password. Those using 2-factor are relatively un-affected,
although they have to change their master passwords as well.

This might leave some people who use lastpass in 'Re-enable account hell',
where they have their email password stored on lastpass, but can't verify and
login to lastpass without clicking an activation link in their email. This can
be solved by using one of the plugins in offline mode with your old master
password. I'm not sure why they didn't mention it, but this has solved a lot of
people's problems.

All in all IMHO these guys take security quite seriously. They noticed an
anomaly, investigated and hours later posted something about it on their blog.
I'm not sure why no emails have been sent out, but there has been speculation
that it would have taken too long
(http://blog.lastpass.com/2011/05/lastpass-security-notification.html?showComment=1304571300013#c1232708813079521918),
which I don't really agree with. That should've been their first step IMHO,
and that's where they fell on their face a bit with all this.

They DO put impressive security measures into place when something does happen
though, as seen in the XSS bug found. They implemented HSTS, X-Frame-Options,
CSP, which I've only seen used in super rare cases:

http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html

They're also implementing PBKDF2, so that makes me feel as though with every
security issue they're dealing with they don't just identify and re-mediate,
but actually restructure their infrastructure in order to hedge against any
potential future attack vectors. I personally see this as the best response of
any company I've ever seen from a security standpoint.

Thoughts?

Ryan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Lastpass Security Issue
  - From: Benji
- Re: [Full-disclosure] Lastpass Security Issue
  - From: Liam Randall

Prev by Date: Re: [Full-disclosure] Facebook
Next by Date: [Full-disclosure] t2'11: Call for Papers 2011 (Helsinki / Finland)
Previous by thread: [Full-disclosure] conservative.ca SQLi
Next by thread: Re: [Full-disclosure] Lastpass Security Issue
Index(es):
- Date
- Thread