LastPass Security Failures and Successes

Over the past few days, I have been reading Twitter with interest from a particularly well known security expert called Tavis Ormandy (whom works on the Google Project Zero initiative) about some interesting LastPass vulnerabilities that could potentially expose user passwords in Chrome by just using a few lines of Javascript:

At this point, and a few of my close friends whom use LastPass were wondering if we could truly trust an application like LastPass to store all of our password information.  I know from listening to a lot of security related podcasts, that security is really hard to get right for developers.  I really thankful there are people like Tavis around that can find these vulnerabilities and disclose them in a responsible fashion, in that he has contacted LastPass about the vulnerability, posted some very basic details of the vulnerability on Google Project Zero with no proof of concept, and states that LastPass have 90 days before going public with the vulnerability in all it’s detail.

However, LastPass managed to fix 3 serious bugs within a space of just 24 hours.  That is just remarkable.  LastPass patched the vuln, and because the plugin for Chrome updates automatically I immediately got the fix.  Even though there were some serious bugs, I am seriously impressed with LastPass and it shows that if you put your trust into someone whom deeply cares about security they will make sure to release security updates in a prompt manner.  It might shake your confidence that there are vulnerabilities like the ones Tavis has been finding, but I have more reassurance now that LastPass is a reputable and considerate company whom cares about it’s customers and take a very serious stance about security.  It would seem that Tavis would also agree:


So what should you take away from this?  Well, like I have said previously security is really hard for anyone and there are always going to be vulnerabilities in any piece of code (that is just how things are!).  The main thing is how the developer responds to the security incident, which I think in this instance is fantastic.  I have been a free LastPass user for the last few months, but I will be going premium to make sure that LastPass get the continued support that they deserve.