undefined | Better HN

0 pointsk__9y ago0 comments

They sold their future. The next bug will be sold to the highest bidder.

0 comments

People find and disclose bugs regularly even where there isn't a bounty. Most (at least 99.99%) developers don't want to see a useful, successful product fail even if they can personally gain from it. The likelihood that an exploit for Lastpass will be discovered by an attacker and sold to a nefarious actor is very small.

Further to that though, we now know that this problem is fixed in LastPass. We don't know about other password managers. To that end, LastPass is now a better option than it's rivals.

microtonal9y ago

To that end, LastPass is now a better option than it's rivals.

Only when you believe that all password managers are equally secure from the start.

There are many reasons to believe that this is not the case. Storing passwords in a cloud service is quite a red flag. Then there is a former employee stating on Twitter that part of the codebase is very neglected:

https://twitter.com/ejcx_/status/758081553712820225

v0x9y ago

I never understood why security-conscious people would choose to use a service (e.g. Lastpass) that stores all of your passwords in the cloud. Why not just use KeePass instead? Yes, it's a little bit more hassle, but all of the other password managers have been subject to serious exploits like the OPs that put people's data at serious risk of compromise.

r1ch9y ago

Bounties aren't just monetary motivation - they show that the company understands security and responsible disclosure. For example, I've found pretty bad flaws in some white label web-based CCTV DVR software (privilege escalation and session hijacking). I went to the company website and couldn't even find a technical support contact. Given there's no bug bounty or other evidence they take security seriously, I don't want to risk sending this to the wrong person and receiving legal threats etc so it will remain undisclosed.

zaroth9y ago

I have become a bit of a skeptic -- we know that a problem like this existed in the code-base and is now fixed. So, should we then conclude that LastPass is now "more secure" because of it, or is the existence of this face-palm bug in production code actually evidence that LassPass is "less secure"? Certainly I would not go so far as to claim that this bugfix somehow makes LassPass a better option than its rivals.

I put more/less secure in scare quotes, because my point is really that fixing one particular bug certainly closes that one particular attack vector, but security is not a progress bar that goes from 0 to 100.

What this write-up does in my mind is really highlight the risks that come along with using a complex piece of software to manage your passwords. We tell users they can use password managers to safeguard their passwords and increase their security. We talk a lot about the usability trade-offs which password managers entail, but perhaps not as much about the security trade-offs!

tptacek9y ago

It depends on the nature of the bug, right? In this case, the bug would make me much less likely to ever recommend LastPass.

3minus19y ago

> Further to that though, we now know that this problem is fixed in LastPass. We don't know about other password managers.

Um...it was a really stupid mistake. Writing your own bug-prone regex here instead of using an existing, trustworthy function is just really bad. Especially when the consequences of a bug mean a hacker can steal someone's passwords.

You should really hope that any company that prides itself (and bases itself) on security would never release this bug. It absolutely lowers the reputation of lastpass.

j / k navigate · click thread line to collapse