14 DAY TRIAL // Google researcher Tavis Ormandy has put folks over at LastPass to work again after spotting yet another bug in the service.
After reporting a number of serious flaws in the password manager over the past week, this weekend Ormandy had another revelation. "I had an epiphany in the shower this morning and realized how to get codeexec in LastPas 4.1.43. Full report and exploit on the way," he wrote on his Twitter account.
Ormandy, a member of Google's Project Zero security team, is known for his knack for finding serious vulnerabilities in various services we all use, including this password manager that's supposed to be safe.
This is the second weekend in a row that LastPass engineers have to spend fixing bugs discovered by Ormandy. "This attack is unique and highly sophisticated. We don't want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete," the firm said on the matter.
They added their thanks to Tavis and other people like him who help them raise the bar for online security with LastPass.
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy — Tavis Ormandy (@taviso) March 25, 2017
The nitpickers
Because the Internet is what it is, many people got upset with Tavis over sharing that he found another bug in LastPass. In fact, many called him out on sharing the news over Twitter, saying all this does is cause fear and uncertainty.
Of course, that couldn't be farther from the truth. All services face vulnerabilities and all of them get patched up sooner or later. It's probably safe to say that all online services have security vulnerabilities at all times, but they simply go undiscovered. Therefore, Ormandy saying that LastPass had a bug wasn't exactly that big of a deal, especially since he didn't disclose what the problem was specifically or how to exploit it, which would have pushed hackers to act.
Many companies have a 90-day disclosure rule set for this type of situations. These services have to find a way to patch things up within that timeframe, regardless of how serious the bug is. With researchers pointing out online that they've discovered a vulnerability, companies have that much more incentive to get to work on finding a fix.