INSECURITY INDIANA JONES Tavis Ormandy of Google's Project Zero bug-seeking outfit has completed his excavation at password management company LastPass, which manages passwords for you, and come up with a security incident.
Ormandy does what he does, which is not run away from huge boulders but make amazing discoveries and present them to their rightful owners. He has found problems at a range of companies, although no arks of any covenants yet, and shows no signs of slowing down.
Every day, thousands of passwords get stolen….Is yours for sale?https://t.co/72pirayAld— LastPass (@LastPass) July 18, 2016
LastPass (insert ‘should know better' stuff here) is the latest site to be picked apart. Ormandy hasn't kept mum about his discovery, which might get him thrown off of airships, or taken on by ancient cults, and has tweeted about it.
Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.— Tavis Ormandy (@taviso) July 27, 2016
There is not much to say at the moment. Ormandy has not revealed the security flaw, and is not likely to before LastPass has issued a fix. This presumably cannot come quickly enough for the security man, who wondered, in so many words, what the heck is going on at the firm.
Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap.— Tavis Ormandy (@taviso) July 26, 2016
LastPass is still working on the bug, according to a Twitter response to the INQ: "We are working to address this and will have more information soon. Thank you for your patience in the meantime," the firm said.
Ormandy is one of the hardest working men in a business that we do not call show business, but security research. He has recently been involved in break-ins and breakdowns at Kaspersky and Symantec, and has in at least one case been thanked for his efforts.
However, local security sheriff Graham Cluley once wrote in a blog post: "Tavis Ormandy, a security researcher at Google, has made a controversial name for himself over the years by disclosing security vulnerabilities in products from other software vendors.
"His critics, of which I'm one, fear that he has sometimes put innocent users at risk by not working on a coordinated disclosure with the manufacturer of the vulnerable software, ensuring that all users are protected with a patch before details of how to exploit the flaw are made public." µ
Windows 10, 64-bit OS devices susceptible to rootkit attack
Malware suite likened to Stuxnet worm
Not the biggest fish out there
Redmond says figure is closer to the five million mark