LastPass continues to be part of the headlines and again is for bad reasons. The password management service is not exactly the best example of trust. From critical security failures in its extensions for Chrome and Firefox, to terrible bugs that allow stealing all the passwords of a user in a click, until they have been hacked filtering personal information from their users. All this in less than two years.
The most recent security flaw that has been discovered, is a very serious problem with the way in which they implement the verification process in two steps. An attacker could disable two-factor authentication if he already has the password, basically, the two factors did not really exist.
The bug was reported by investigator Martin Vigo, and LastPass has issued a statement announcing that the ruling was resolved . However, although LastPass explains that in order for an attacker to have exploited the problem, you would have had to take several steps to jump the Google Authenticator and it would have to have attracted the user to a malicious website first.
Martin Vigo has a different story : the researcher explains how LastPass was using a hash of the user’s password to generate the QR code that was used to establish two-step authentication on a user’s device. That is, LastPass was saving the secret seed of verification in two steps under a URL that can be derived from your password. How is that verification in two steps?
To put this in perspective, imagine that you have a safe in your house where you keep your most valuable possessions. Do you think it’s a good idea to have the same key for the door of your house and for the safe? Should the key to the door open the safe too?
Vigo also noted that it was not necessary for the attacker to lure the victim to any malicious website , he could steal the QR code from a trusted website such as Facebook or Gmail. No doubt another reason to think twice before trusting the service, and unfortunately another black mark on the reputation of password managers.