Recently I had an experience involving the LastPass bug bounty program that didn't end quite how I would've liked. Whilst I was at work one day, I had to log in to GitHub to review an external pull request. Now, this was the first time I'd ever needed to log in to a personal account on my work laptop, so I didn't have my LastPass account setup on the computer. The following took place using the LastPass Chrome Extension.
The Bug
I signed out of my work LastPass account and into my own. Simultaneously, as the 2FA popup appeared, the GitHub details were auto-filled on the site. Despite having never logged into LastPass with my account on that computer before.
This outcome was quite concerning to me, as LastPass is a service that stores a lot of confidential information for many people and businesses.
After finishing work for the day, I did a bit more research into how this happened and any other oddities with the authentication system for LastPass.
I found out that they store a local cache so that the extension can access that information offline. This decision makes sense, and it keeps a flag not to require 2FA whilst a local cache is available.
The main issue that I found is that the user signing out does not clear this flag. Meaning that the following account to log in doesn't need to use 2FA. And more importantly, it also means that someone could theoretically access the last user's local cache on a public computer without 2FA.
Reporting the bug
I found LastPass' bug bounty program and noted that they state not to report 2FA not being required when you have a local cache, as that's an intentional feature. Due to this, I made sure to phrase my report more towards the flags not being cleared on sign-out, as this was the leading cause of the issue I had found.
My goal with the bug bounty program wasn't to receive a payout but more to get the issue fixed as LastPass is a service I use.
They ended up closing the issue as Won't Fix, as it's an accepted business risk for the customer. I can see why they're willing to take the risk here, as logging into LastPass on a public computer is already a horrendously bad idea, but it would be nice to clear the flag on a sign-out.
Conclusion
Overall it was quite a concerning experience; it didn't dishearten me that my bug report was closed. However, I'm uncomfortable with the refusal to address the issue, especially as it could be quite a small change.
If someone from LastPass reads this, please clear all user data when a user signs out. I, like most people, prefer my password manager to not give out information without fully authenticating. I've since switched to a competing password manager due to this security flaw and a few more that didn't receive an adequate response.
Addendum
The original reproduction steps provided to LastPass are as follows,
On a fresh install,
- Sign in to a LastPass account with 2FA enabled, and fill in the 2FA code.
- Sign out of that account, and sign in with another account, also with 2FA enabled. Do so on a site that has credentials the second account has stored. Don't enter the 2FA code.
- It'll autofill the credentials. Not using local-cached offline password vault, this was a freshly formatted/installed Ubuntu machine that I had only signed into my work LastPass. During signing into my LastPass account, I had this occur. I've reproduced it on another Ubuntu machine. Using the Chrome extension.
It was closed as,
This submission was reproducible but will not be fixed.
About the Author
Hi, I'm Maddy Miller, a Senior Software Engineer at Clipchamp at Microsoft. In my spare time I love writing articles, and I also develop the Minecraft mods WorldEdit, WorldGuard, and CraftBook. My opinions are my own and do not represent those of my employer in any capacity. Find out more.