LastPass, a venture into the world of bug bounties

Posted on Tue 26 December 2017 in Security

Recently I had an experience involving the LastPass bug bounty program that didn’t end quite how I would’ve liked.

Whilst I was at work one day, I had to log in to GitHub to review an external pull request. Now, this was the first time I’d ever needed to log in to a personal account on my work laptop, so I didn’t have my LastPass account setup on the computer. The following all takes place using the LastPass Chrome Extension.

I signed out of my work LastPass, and into my personal one. As the 2FA popup appeared, the GitHub details were auto-filled on the site, despite having never logged into LastPass with my personal account on that computer before.

This was quite concerning to me, as LastPass is a service that stores a lot of very sensitive information for a lot of people and businesses.

After finishing work for the day, I did a bit more research into how this happened – and if there were any other oddities with the authentication system for LastPass. I found out that they store a local cache, so that information can be accessed offline. This makes sense, and it stores a flag to not require 2FA whilst a local cache is available.

The main issue that I found is that this flag is not cleared when the user logs out. This means that the next account to log in doesn’t need to use 2FA. And more importantly, it also means that on a public computer someone could theoretically access the last user’s local cache also without 2FA.

I found LastPass’ bug bounty program and noted that they state not to report 2FA not being required when you have a local cache, as that’s an intentional feature. Due to this, I made sure to phrase my report more towards the flags not being cleared on sign-out, as this was the main cause of the issue I had found.

My goal with the bug bounty program wasn’t to receive a payout, but more to get the issue fixed as LastPass is a service I personally use.

They ended up closing the issue as Won’t Fix, as it’s an accepted business risk for the customer. I can see why they’re willing to accept the risk here, as logging into LastPass on a public computer is already a horrendously bad idea, but it would be nice for this data to be cleared on sign-out.

Overall it was quite an interesting experience, it didn't dishearten me too much. However it's definitely something I can see a need to address, especially as it's quite a small change. So, if someone from LastPass reads this, please clear all user data when the sign-out button is pressed 🙂

Addendum

The original reproduction steps provided to LastPass are as follows,

On a fresh install,

  1. Sign into a LastPass account with 2FA enabled, and fill in the 2FA code.

  2. Sign out of that account, and sign in with another account, also with 2FA enabled. Do so on a site that has credentials the new account has stored. Don't enter 2FA code.

  3. It'll autofill the credentials. Not using local-cached offline password vault, this was a freshly formatted/installed Ubuntu machine that had only been signed into my work LastPass. During signing into my personal LastPass I had this occur. I've reproduced on another Ubuntu machine. Using the Chrome extension.

It was closed as,

This submission was reproducible but will not be fixed.